Legislators should enact a federal law creating baseline privacy rules for the collection, use, and sale of personal information, according to a new report released by the Government Accountability Office (GAO).
Issued at the request of Sen. Jay Rockefeller (D-W.Va.) as part of his investigation into the practices of data brokers, the report reviews the existing landscape of privacy-related laws and regulations, focusing primarily on consumer information used for marketing purposes.
For “Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace,” the GAO also interviewed sources from different perspectives, ranging from government agencies to data broker companies to trade associations and consumer and privacy groups.
The result: “Congress should consider strengthening the current consumer privacy framework to reflect the effects of changes in technology and the marketplace, particularly in relation to consumer data used for marketing purposes,” the report concluded.
The report found existing laws that generally targeted a specific type of information or population, such as the Health Insurance Portability and Accountability Act and the Children’s Online Privacy Protection Act, as well as self-regulatory efforts, such as the Digital Advertising Alliance’s Online Behavioral Advertising Program, have not gone far enough. Further, while the FTC has the power to take action against unfair or deceptive practices, the agency’s enforcement on privacy measures has generally been limited to when a company violates its own stated policy.
These “gaps” in current privacy oversight can also be found in new technology such as mobile devices and tracking online consumer behavior, the report found. The “vastly increased marketplace for personal information” and the “proliferation of information sharing among third parties” also pose concerns.
To bridge the gaps and strengthen privacy protections, Congress should consider legislation, the GAO said. Consumers should receive more information about the data companies have about them, as well as have the chance to access, correct, and control the information. In addition, Congress should consider whether to restrict the collection and sharing of personal or sensitive information with third parties and whether changes are necessary in the current sources and methods of data collection. Congress should also consider whether privacy controls related to new technologies should be implemented.
The report noted that stakeholders presented very different views on what privacy legislation should encompass. While some advocated for a comprehensive privacy law, others argued that such a one-size-fits-all approach would be too inflexible. “The challenge will be providing appropriate privacy protections without unduly inhibiting the benefits to consumers, commerce, and innovation that data sharing can accord,” the report said.
To read the GAO report, click here.
Why it matters: The GAO is the latest governmental entity to recommend federal privacy-related legislation. In March 2012 the FTC called for Congress to consider enacting basic privacy and data security and data broker legislation. This followed similar comments by the White House calling for a “Privacy Bill of Rights” to protect consumers online. To date, the privacy legislation that has been introduced in the federal legislature has not gone anywhere, but the issue remains a hot topic for state lawmakers and regulators alike.