Proposed U.S. Privacy Legislation

[T]he recent developments in the online industry make clear the need for privacy legislation. For those who are willing to look closely, there is little indication that self-regulation is working. Privacy policies read more like warning notices and disclaimers. The proposed merger of Internet advertising giant Doubleclick and the largest catalog database firm Abacus demonstrates many of the shortcomings of the self- regulatory approach. The merger would significantly undermine online privacy as advertising is radically transformed. In the absence of a legal framework for online privacy, Internet-based services are also being offered without privacy protections that would otherwise be required. The Internet is quickly becoming a privacy-free zone, where companies can push new products past an unsuspecting public.

In practical terms, advertising will be radically transformed. Where once advertisers could reach segmented markets and still allow potential customers who browsed a news magazine or watched a television show to safeguard their privacy, now advertisers will literally be watching potential customers even as those customers are reading web-based ads. Enormously detailed secret profiles of Internet users will be developed based on transactional records, purchase histories, and clickstream data.

The United States faces a data privacy crisis. Large and powerful technology companies invade our private lives, spy on our families, and gather the most intimate details about us for profit. […] These industries and systems have gone unregulated for more than two decades. And the result has been uncontrolled data collection, large scale data breaches, and an ecosystem dependent on a few large commercial surveillance platforms. […] We need comprehensive, baseline privacy protections for every person in the United States, changes to the business models that have led to today’s commercial surveillance systems, limits on government access to personal data, and strong enforcement of privacy protections.

Federal privacy legislation must limit the collection and use of Americans’ personal data with rules that respect our human right to privacy, limit harmful discrimination and targeting, and support the beneficial evolution of the technologies and systems we rely on in our everyday lives.
[…]
As Congress considers federal privacy legislation, it should learn from and improve upon existing state laws by strengthening privacy protections. The Virginia/Connecticut “models” and the state laws that follow them do not adequately protect privacy. Many of those laws have been heavily influenced by lobbying groups doing the bidding of Big Tech companies, leading to “privacy” laws that, in fact, do little to protect privacy. In a recent report scoring 19 state privacy laws by EPIC and the U.S. PIRG Education Fund, eight received Fs, and none received an A.

EPIC has been calling on Congress to pass a strong comprehensive privacy law for more than 25 years – but the enactment of a weak law that cements the current status quo into law is worse than passing no law at all. Any federal privacy legislation must reflect the reality that America is in a data privacy crisis and that regulation is badly needed to encourage privacy-protective innovations in technology and ensure privacy, fairness, and security in our online world.