Democratic Senators Propose 'Privacy Bill of Rights' To Prevent Websites From Sharing Or Selling Sensitive Info Without Opt-In Consent

Democratic Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) today proposed a "privacy bill of rights" that would prevent Facebook and other websites from sharing or selling sensitive information without a customer's opt-in consent. The proposed law would protect customers' web browsing and application usage history, private messages, and any sensitive personal data such as financial and health information. Ars Technica reports: Markey teamed with Sen. Richard Blumenthal (D-Conn.) to propose the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act. You can read the full legislation here. "Edge providers" refers to websites and other online services that distribute content over consumer broadband networks. Facebook and Google are the dominant edge providers when it comes to advertising and the use of customer data to serve targeted ads. No current law requires edge providers to seek customers' permission before using their browsing histories to serve personalized ads. The online advertising industry uses self-regulatory mechanisms in which websites let visitors opt out of personalized advertising based on browsing history, and websites can be punished by the Federal Trade Commission (FTC) if they break their privacy promises.

The Markey/Blumenthal bill's stricter opt-in standard would require edge providers to "obtain opt-in consent from a customer to use, share, or sell the sensitive customer proprietary information of the customer." Edge providers would not be allowed to impose "take-it-or-leave-it" offers that require customers to consent in order to use the service. The FTC and state attorneys general would be empowered to enforce the new opt-in requirements. The bill would require edge providers to notify users about all collection, use, and sharing of their information. The bill also requires edge providers "to develop reasonable data security practices" and to notify customers about data breaches that affect them.

But then they couldn't compete with ISPs!

[pots]

The principle excuse trotted out for stripping away privacy protections from ISPs, was that those protections didn't apply to websites or other tech firms. So protecting peoples' privacy wasn't fair or something... I didn't really follow that argument, but I don't think that was the point. They just needed some nonsense that they could repeat over and over again until some people started to believe it.

Now we have a bill doing the opposite, I'm interested to see the argument they make in opposition to this one. Granted, since they're not overturning an existing rule they don't need to work as hard in justifying it, so they'll probably just trot out one of their old standbys. Something like: "Regulations bad! Thog smash responsible government!"

However, I would love it if they just flipped that shit around and went full doublethink on us.

Exceptions are made for high quality acronyms

[HeckRuler]

Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act

Initially I balked at the introduction of a new bullshit term like "edge-provider", but that's a mighty fine acronym.

And why do online services get specific punishment? Why not apply this to grocery stores? I don't want HyVee telling anyone I buy 10lbs vats of mayonnaise. (don't judge me).

How about we extend "Browsing history" to the real world. I don't think we want companies tracking and who entered their store and what they looked at. The age of ubiquitous cameras, face-recognition, and customer databases is upon us. With a high enough resolution camera, they could even track where your eyeballs are pointed.

Do you want a list of everyone who ever entered a gun store? Do you want to see who shops at the thrift-mart AND the ... gucci-emporium? Do you want your health insurance provider to know how often you stop at McDonalds?

If you're going to squawk at Facebook abusing "customer" data, you might as well take a closer look at the potential abuse of everyone else's databases.

First Amendment?

[mi]

This is, quite literally, an attempt by Congress to make a law limiting the Freedom of Speech: prohibiting them from telling others something they've learned... Learned without any prior promise not to tell others...

If the Amendment protects the right of newspapers to publish state secrets , why wouldn't it also protect "social media" companies' right to publish our private little ones?

Change the economy of data collection.

[dweller_below]

Attempts to legislatively say: "Thou Shalt NOT" will probably be ineffective when the underlying economy strongly favors collecting, storing, and using private information.

The most effective legal protections against invasive data collection are to change the economy of personal information. This sounds harsh and invasive, but it may be the only workable protection from widespread privacy threats and manipulation.

• 1st, we need to increase the expense of collecting and storing personal data.
• 2nd, we need to decrease the value of using personal data.

For example, we can increase the expense of collecting, storing and exchanging personal data by:

• * Require accurate tracking information on the collection, storage and exchange of personal data. This should include identifying information for every entity that handled the data. This should be coupled with large mandatory fines for any data that is missing past transaction history. Currently, data brokers have low overhead and bear no responsibility for their behavior. They are selling goods worth billions. Their activity should be tracked as completely as credit card transactions. Requiring accurate documentation of the personal data marketplace will increase the expense of reselling personal data.
• * Impose aggressive taxes on collected, stored and exchanged personal information. It obviously has value. It is a major asset of Google and Facebook. It should be taxed like real estate or an economic transaction. The higher the taxes, the less incentive to collect, store and exchange personal information.
• * Forbid exporting personal information from the country of origin. If an entity wishes to collect, store, or exchange personal information, they must do it in the country of origin.
• * Add more teeth to "data breach" legislation. Remove any "due diligence" protection. Impose mandatory fines for data breach. Fines should be based on the number and severity of personal "facts". The higher the fines, the less incentive to collect and store personal information.
• * Impose full breach liability on every upstream entity in the data collection stream. Currently, data collectors and brokers get rich by selling to a wide market and experiencing no liability. Imposing liability for the behavior of down-stream purchasers of personal data will greatly increase the expense of collecting, storing and exchanging personal data.

Then we must work to harden our society against the manipulative effects of collected personal data. This is a continual challenge. Things we might consider include:

• * Require search engines and social media to unmistakably indicate if we are viewing "Relevant, tailored for us illusion" or "Consensus Reality".
• * Consistently penalize search engines and social media when they inaccurately represent "Consensus Reality"
• * Require search engines and social media to provide a simple, always on-screen method to easily switch between "Relevant, tailored for us illusion" or "Consensus Reality".
• * Impose meaningful, effective restrictions on our government's ability to attempt to manipulate "Consensus Reality"
• * Require our government to protect it's citizens from other government's or corporation's attempts to manipulate "Consensus Reality"
• * Impose mandatory penalties on the enabling parties for every occurrence of identity theft. This means penalize the banks, the credit reporting agencies, and even the IRS. If identity theft occurred, then their process must have immediate, corrective feedback.
• * Require multi-factor authentication when authenticating to critical resources.
• * Educate our society that biometrics might be identifiers, but should never be an authentifier.

Ultimately, dealing with the problem of privacy abuse and invasive data collection will take much more than a legislative "Thou Shalt Not".