The tech industry think tank
Information Technology and Innovation Foundation is calling on Congress to repeal existing state and federal privacy laws and replace them with a single national standard that governs data based on
its “sensitivity.”
“If Congress passes data privacy legislation, its key task will not be to maximize consumer privacy, but rather to balance competing goals such as consumer
privacy, free speech, productivity, U.S. economic competitiveness, and innovation,” the ITIF writes in a summary of a new report calling for a “grand bargain” on privacy.
“Consumers should have the same protections regardless of which state they live in, and companies should not be faced with 50 different state laws,” the group adds. The ITIF is
recommending that Congress scrap a host of existing federal laws -- including the Children's Online Privacy Protection Act, Health Insurance Portability and Accountability Act, and the Family
Educational Rights and Privacy Act. The think tank also proposes that Congress override state laws, including a new California measure that gives people the right to know what data about them is held
by companies and opt-out of the sale of that information.
The ITIF proposes that a federal privacy law should treat sensitive data differently from non-sensitive data. The group suggests
defining sensitive data as “personally identifiable information that likely presents a high risk to individuals if made public, such as health-related data, genetic and biometric data, data
regarding children under the age of 13, and precise geolocation information.”
The organization also recommends classifying data collectors into companies providing “critical”
services, like Internet access providers, and “noncritical” services, like over-the-top streaming.
The ITIF proposes that companies providing noncritical services notify people
before using “non-sensitive” data; one example given in the report is of movie preferences on a video streaming service.
The report also says people should be able to opt out of
the collection of “non-sensitive” and “sensitive” data collected by “critical” services -- such as video preferences gathered by an Internet service provider based
on network traffic analysis.
And the ITIF says companies providing “critical” services, like broadband access, should only collect “sensitive” data, like health
information based on website visits, with people's opt-in consent.
Some advertising groups, including the Interactive Advertising Bureau, recently set out their own proposals for new privacy standards. That organization recently
urged the Federal Trade Commission to consider whether data collection practices were reasonable based, in part, on the sensitivity of the data.
But consumer advocates say the distinction
between sensitive and non-sensitive is often blurry, arguing that even data traditionally considered “non-sensitive” can reveal sensitive information.
Several high-profile
developments in 2018 -- including revelations that political consultancy Cambridge Analytica harvested data from up to 87 million Facebook users -- are sparking a push for new privacy laws. One
potential bill, floated last year by Senator Ron Wyden (D-Oregon), would give consumers
the right to prevent information about them from being shared or sold by ad tech companies.
Jeff Chester, executive director of the privacy group Center for Digital Democracy -- which backed
the Children's Online Privacy Protection Act -- calls the ITIF's proposal “a setback for privacy.”
He adds that he doesn't believe the bill will gain traction on the Hill.
“If we're going to prevent more Cambridge Analyticas, we need a pro-consumer regime.” he says.