On Friday, November 9, 2018, EFF submitted a letter in response to the U.S. Department of Commerce's request for comment on "Developing the Administration's Approach to Consumer Privacy," urging the agency to consider any future policy proposals in a users' rights framework. We emphasized five concrete recommendations for any Administration policy proposal or proposed legislation regarding the data privacy rights of users online:
- Requiring opt-in consent to online data gathering
- Giving users a “right to know” about data gathering and sharing
- Giving users a right to data portability
- Imposing requirements on companies for when customer data is breached
- Requiring businesses that collect personal data directly from consumers to serve as “information fiduciaries,” similar to the duty of care required of certified personal accountants.
But, to be clear, any new federal data privacy regulation or statute must not preempt stronger state data privacy rules. For example, on June 28, California enacted the Consumer Privacy Act (S.B. 375) (“CCPA”). Though there are other examples, the CCPA is the most comprehensive state-based data privacy law, and while it could be improved, its swift passage highlights how state legislators are often in the best position to respond to the needs of their constituents. While baseline federal privacy legislation would benefit consumers across the country, any federal privacy regulation or legislation that preempts and supplants state action would actually hurt consumers and prevent states from protecting the needs of their constituents.
It is also important that any new regulations must be judicious and narrowly tailored, avoiding tech mandates and expensive burdens that would undermine competition—already a problem in some tech spaces--or infringe on First Amendment rights. To accomplish that, policymakers must start by consulting with technologists as well as lawyers. Also, one size does not fit all: smaller entities should be exempted from some data privacy rules.