The new year has brought new action on the privacy front as states and the federal government try to figure out how to protect user data while allowing it to be monetized to support the free internet content model the country has come to rely on.
The alternative could be a Balkanized internet with sites charging for access and users asked to determine for themselves what information they want to share and when they want to share it.
While access and choice was once the mantra — and access still is — privacy activists are concerned that choice could become a synonym for putting the onus on users to figure it all out. For their part, websites would simply provide transparency about all that collection — likely in slightly larger type or in less Byzantine privacy policies.
Platforms big and small are concerned that if an approach like the tough California privacy law that just went into effect becomes a road map for federal legislation — which many Democrats looking to capture both House and Senate in the fall would like — the free online model could definitely be in trouble.
Amazon is no fan of the California Consumer Privacy Act (CCPA), particularly of its broad definition of personal information. The bill established a consumer right of privacy based on disclosure, the right to opt out of data collection or third-party sharing and the right to have data deleted if a user so chooses.
One site dedicated to providing info on where to find radio stations on the internet (StreamingRadioGuide.com) closed its doors at the end of the year, citing the California privacy law. “I have decided to cease operations rather than face the potential legal threats from the California Consumer Privacy Act (CCPA), which goes into effect at midnight on January 1st, 2020,” Fred Stiening, the site’s founder, said in a note to former users.
All of that comes against a backdrop of tension and suspicion aimed from inside the Beltway toward Big Tech in general over breaches and data over-sharing and under-informing, not to mention “real” fake news, election ad issues, accusations of bias and attacks from both the right and the left at web platforms’ current shield from legal liability over third-party content.
Looking to steer that model toward self-regulation, the Trump administration’s National Institute of Standards and Technology (NIST) has released a guide to privacy best practices.
The idea is to continue to get the benefits of data collection while mitigating the privacy risks and avoiding a one-size-fits-all approach, an approach which deregulatory types often associate with "heavy handed" government regulation.
The self-regulatory framework is not binding, but is instead meant to be a tool for privacy-by-design practices that put privacy risks on the same level as other risks.
It is billed as supporting:
• “Building customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole;
• “Fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment; and
• “Facilitating communication about privacy practices with individuals, business partners, assessors and regulators.”
NIST said the framework is the result of input from public and privacy stakeholders and the product of three workshops, requests for info and comment, five webinars and hundreds of stakeholder meetings.