But aside from a federal law, what do they want?
Back when Privacy for America (PFA) – an ad industry group comprising the 4A’s, the Association of National Advertisers, the Digital Advertising Alliance, the Interactive Advertising Bureau, the Network Advertising Initiative and other associations – announced its kickoff in April of this year, we were hungry for details. The group planned to “work with Congress to support enactment of groundbreaking comprehensive federal consumer data privacy and security legislation.”
But aside from hints that PFA would shy away from the harsher consumer opt-out provisions for non-sensitive data sharing that some privacy activists demand, and clear calls for a federal law that would respond to and replace state legislative efforts such as the California Consumer Privacy Act (CCPA), there wasn’t much substance to the announcement.
Which probably makes sense, since specific recommendations wouldn’t be meaningful without the context of a general federal effort.
But still ….
PFA’s latest missive, sent on Nov. 21 to House and Senate leaders from both parties, runs to three pages, but it doesn’t really add much to the previous announcement.
Complaints about state legislatures creating a patchwork of inconsistent online ad regulation that demand a federal reply? Yes, we’ve heard that before. Calls for “a legislative framework that does not put the onus on consumers to sort through myriad onerous privacy notices in an effort to protect their privacy”? Sounds familiar.
Consider the following passage:
“… companies should not be allowed to use someone’s personal information, unless specifically permitted by federal or state law, to deny them a job, credit, insurance or health care. Similarly, the practice of digital redlining – using data about a person’s race, color or religion in setting prices for products or services – should be outlawed."
“The law must also make clear that the most sensitive types of personal information – data like medical, financial or biometric information – must not be used or collected unless a company has a person’s explicit permission. And companies should be barred from sharing someone’s personal information with third parties, unless they have enforceable contracts ensuring that the other party will secure the data and use it lawfully.”
Sorry for the long quote. But we include it here to address a persistent cloudiness from PFA regarding data protection. Protection for medical information, as well as anti-discrimination legislation for members of a race or religion, is already expected and invoked by Americans. Biometric and financial information already enjoys disclosure protections – so strengthening and clarifying those measures online is surely not all that bold a proposal.
But the rubber meets the road in the last sentence:
“… companies should be barred from sharing someone’s personal information with third parties, unless they have enforceable contracts ensuring that the other party will secure the data and use it lawfully.”
Questions abound. What does PFA mean by “personal information”? What is the difference between “medical, financial or biometric information” and personal information? Are they mutually exclusive sets? Or is there significant overlap?
It’s fine to complain about the vagaries of the CCPA or the EU’s General Data Protection Regulation, and to demand a comprehensive legislative alternative from the federal government.
But the request is meaningful only when the people making the demand define their categories and the desired guardrails. The CCPA train has left the station, and any chance of rerouting it will require a compelling alternative.