The tech industry think tank Information Technology and Innovation Foundation is calling on Congress to repeal existing state and federal privacy laws and replace them with a single national standard that governs data based on its “sensitivity.”
“If Congress passes data privacy legislation, its key task will not be to maximize consumer privacy, but rather to balance competing goals such as consumer privacy, free speech, productivity, U.S. economic competitiveness, and innovation,” the ITIF writes in a summary of a new report calling for a “grand bargain” on privacy.
“Consumers should have the same protections regardless of which state they live in, and companies should not be faced with 50 different state laws,” the group adds. The ITIF is recommending that Congress scrap a host of existing federal laws -- including the Children's Online Privacy Protection Act, Health Insurance Portability and Accountability Act, and the Family Educational Rights and Privacy Act. The think tank also proposes that Congress override state laws, including a new California measure that gives people the right to know what data about them is held by companies and opt-out of the sale of that information.
The ITIF proposes that a federal privacy law should treat sensitive data differently from non-sensitive data. The group suggests defining sensitive data as “personally identifiable information that likely presents a high risk to individuals if made public, such as health-related data, genetic and biometric data, data regarding children under the age of 13, and precise geolocation information.”
The organization also recommends classifying data collectors into companies providing “critical” services, like Internet access providers, and “noncritical” services, like over-the-top streaming.
The ITIF proposes that companies providing noncritical services notify people before using “non-sensitive” data; one example given in the report is of movie preferences on a video streaming service.
The report also says people should be able to opt out of the collection of “non-sensitive” and “sensitive” data collected by “critical” services -- such as video preferences gathered by an Internet service provider based on network traffic analysis.
And the ITIF says companies providing “critical” services, like broadband access, should only collect “sensitive” data, like health information based on website visits, with people's opt-in consent.
Some advertising groups, including the Interactive Advertising Bureau, recently set out their own proposals for new privacy standards. That organization recently urged the Federal Trade Commission to consider whether data collection practices were reasonable based, in part, on the sensitivity of the data.
But consumer advocates say the distinction between sensitive and non-sensitive is often blurry, arguing that even data traditionally considered “non-sensitive” can reveal sensitive information.
Several high-profile developments in 2018 -- including revelations that political consultancy Cambridge Analytica harvested data from up to 87 million Facebook users -- are sparking a push for new privacy laws. One potential bill, floated last year by Senator Ron Wyden (D-Oregon), would give consumers the right to prevent information about them from being shared or sold by ad tech companies.
Jeff Chester, executive director of the privacy group Center for Digital Democracy -- which backed the Children's Online Privacy Protection Act -- calls the ITIF's proposal “a setback for privacy.”
He adds that he doesn't believe the bill will gain traction on the Hill.
“If we're going to prevent more Cambridge Analyticas, we need a pro-consumer regime.” he says.