The General Data Protection Regulation (GDPR) has been in effect for two years in the European Union (EU). As Americans continue to become attentive to GDPR and their own data privacy, it’s not surprising that some data protection guidelines are emerging in the United States. Indeed, it's safe to assume that California Consumer Privacy Act (CCPA) was modeled from the EUs data privacy framework. Though localized to California, CCPA may be the starting point to overarching federal law on online data privacy. Let's talk about what this could mean and how we can get there. Before we drill down on this, however, we first have to understand the issues.
Understanding the Need for a Federal Data Privacy Law
What do we require protection from? As we use the internet, every site visited, or activity done on the web generates metadata. At times, this information is anonymized for your safety, but it still follows you through the network. We've seen this behavior with cookies. Created to bring memory to webpages by developer Lou Montuilli at Netscape in 1994, cookies have since been repurposed as third-party cookies used by brands, ads, and intermediaries in some cases to show you ads through your meta perceived “wants and needs”. The prospect of ads following you around the web and of your device spying on you is a concern for many. But what it’s not a worry for all. A former head of America's Federal Trade Commission during a talk with The Economist had this to say about tracing consumers' digital footprint through online services.
It's okay that they collect information from me while I'm on their site …(for suggestion purposes)… but when you're talking about the sort of invisible Cyber Otzi that put cookies in your computer and track you around the internet and may or may not but may up-sell your information to data brokers and may combine it with offline information and may build these incredibly robust profiles of you, it's just not appropriate unless the consumer gives his or her consent because that information is yours.
Online Privacy Act: An Attempt at a Federal Law
The Online Privacy Act of 2019 (H.R. 4978) was the first preference to tackle online privacy at an overarching federal level. Section 106 of this bill (the Right to Individual Autonomy) states that an entity would not be allowed to collect an individual’s personally identifiable information for behavioral personalization by giving the user the option of opting out while continuing to use said entity service. This would change the way our data is viewed on the net altogether. As of today, this Bill has been introduced into the House and assigned two committees for study. What comes next? If released by those Committees, the Bill gets put on the calendar to be voted on, debated and amended. If passed by the House by a simple majority (more than half of 435 votes), it would then move to the Senate where the Bill would go through another committee along with another vote, debate and amendment process before being voted on. In the Senate, the Bill once again has to pass by a simple majority (more than half of 100) of votes. At that point, the bill would be reviewed by a third Conference Committee of members from the House and Senate to work out any differences between the bills, respectively approved by the House and Senate. The final bill approval from the House and Senate would then get sent to Enrolling by the Government Printing Office before reaching the President's desk, where she/he would have 10 days to sign or veto the enrolled Bill. This process can take anywhere from over a month to a year to have legislation become law (or alternatively get scrapped).
The Anti-Cookie Quest Continues
During a TED Talk, Andy Yen stated the following:
…A lifetime of email, collectively, this tells a lot. It tells where we have been, who we have met, and in many ways, even what we're thinking about. And the more scary part about this is our data now lasts forever, so your data can and will outlive you.
As many individuals take a privacy by design focus to their data, buy-in by entity stakeholders is required to make data privacy full circle within America. Moving away from third-party cookies is a step in the right direction, but we can all agree more has to be done. What areas do you feel were left out of the Online Privacy Act of 2019? Is it expansive enough for systems not yet created?
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.