To address mounting US user concerns, Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) have introduced the Consumer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act. (They have also introduced legislation to increase transparency and consumer privacy protection, though the text is not yet public.) While the Internet Society is weary of a reactionary regulatory trend and would rather see proactive anticipatory movement towards stronger privacy protections, we are supportive of legislation, like the CLOUD Act, that puts more control over how data is used in consumers’ hands, and moves towards a more user-centric Internet.
Currently, US users often have to go through an extensive and complicated process to opt out of data usage practices. Some may not even be aware that those options exist. Opt-out processes make data collection the “default” setting and weaken consumers’ ability to really consent to data handling practices.
The CONSENT Act, however, would require “edge-providers” (defined by the Act as persons that provide a service over the Internet) to notify users when they subscribe, establish an account, purchase, or begin receiving service if their data will be collected. This would make significant gains for user trust, as it would increase transparency at the point when a user first engages with a service – to counter the approach that simply relies on “by using a service you agree to its (privacy) terms”. Of course, it’s not enough to merely notify users. Privacy policies and practices need to be communicated simply and clearly so that users fully understand what data will be collected.
The Act would also require edge-providers to obtain express consent from users before using, disclosing, or permitting access to any of the personal information collected. This is intended to address third-party or secondary uses of users’ personal data. It means that users would have to explicitly opt-in to having their data used. Again, while this is a positive move toward a more user-centric model, the information provided to users should be relevant, straightforward, concise, easy to understand, and delivered at the right time for users to make a meaningful decision.
The bill also includes a “take-it-or-leave-it” provision that would prohibit edge-providers from refusing service to users who do not consent to having their data used for other commercial purposes. Edge-providers would still be permitted to use data for internal purposes, as some data must be used and shared for platforms to function as intended. Sharing that same data with third parties, however, is not necessary to the functionality of the platforms. This provision would give consumers greater power to both protect their privacy and use digital services to their full function.
The Internet Society believes trust is fundamental to the Internet’s success, and, as we’ve said before, privacy is the key to reinforcing trust. It is clear that data collectors need to regain users’ confidence in the Internet by standing up for their privacy, accepting their responsibility to protect users’ privacy, and becoming more transparent about how and when users’ data is used.
Trust in digital platforms has been significantly shaken. Users are becoming more aware of the risk of potential exploitation of their data by platforms and online services. As a result, a worldwide discussion has ensued to identify mechanisms and ways for users to take more control over their data.
For instance, the General Data Protection Regulation (GDPR), which will come into effect at the end of the next month, is the European Union’s major effort to protect user privacy and data. The CONSENT Act, and other forward-looking privacy measures, would better harmonize US policy with a European privacy regime that has tipped the scales to give users more power over the way their information is used by online services. This would make a more user-centric Internet the global norm, ensuring that no matter where users live, they can expect high standards for their privacy, and control over the way their personal information is used.
While there is much to be done to ensure users in the US are as protected as those in Europe, the Internet Society is encouraged by the direction policy makers in the US are heading. The CONSENT Act, as well as proposed legislation from Senators Klobuchar and Kennedy, is a necessary first step to ensure that data collectors protect users’ private information and put the power of privacy and data handling in their hands. However, we encourage the Senators to also consider including accountability measures, including liability provisions, to ensure that services that collect, compile, and manipulate data are liable for the consequences of its abuse.
Additionally, many major digital platforms have shown that they are willing to work with lawmakers to protect consumer interests. Moving forward, we would encourage the Senators to work closely with civil society, the private sector, consumer groups, and academia to ensure that the final bill will effectively increase privacy and user trust without introducing unintended harms or barriers to innovation online. These bills would help consumers regain trust in the online services they use every day, and we hope the Senators will work together to create a bipartisan and comprehensive bill.