Congress has not shown a willingness to curtail the power of the largest technology companies, which amassed record profits amid the pandemic, even as unemployment rates soared and cities placed limits on local commerce for months at a stretch.
Without comprehensive federal privacy legislation, regulating the web has been left to states and companies. That’s led to a confusing jumble of laws and policies, which can be difficult for companies to comply with and for consumers to understand, and which privacy advocates say end up being far too business-friendly.
Nor is simple consent alone enough. In fact, it can create more problems. Bombard someone long enough with consent requests and users will click “yes” to anything to make it stop. Opt-in rules need to be backed with strong enforcement, particularly around misleading or purposefully disruptive consent pop-ups that can dupe users into signing away their data.
The recently approved California Privacy Rights Act bolstered existing law, but it, too, relies on an opt-out system for data collection. In Virginia, companies will need to get consent to track the most sensitive data, like location, religion and sexual orientation, but it is an opt-out system for everything else, including the sale of consumer data.
The Washington State Senate just passed and sent to the State House a bill that lacks sufficient opt-in defaults. A 2019 Maine law requires internet service providers to get consumers’ consent before collecting, using or selling their data, while Nevada law provides only for users to halt its sale. Among the more stringent such laws is Illinois’s, but it applies only to biometric data, such as fingerprinting and facial recognition.
Lawmakers in at least a dozen other states have proposed legislation addressing user privacy, almost entirely with rights provisions only to opt out of data collection.
All of this is why federal legislation is so urgently needed. That should include provisions making personal data collection available only with consumers’ prior consent. (Some data is needed to ensure products are working properly.) The European Union’s General Data Protection Regulation, for instance, may provide some guidance over how to empower users to halt the dissemination of their data. If American consumers want more targeted advertising, or wish to freely share other personal data, they can choose to do so, rather than trust that companies have their best interests in mind.