It’s one of the hottest topics in tech, but despite broad agreement about the importance of online privacy, the United States has yet to pass comprehensive, modern, federal legislation that addresses the issue. U.S. Rep Suzan DelBene, a Democrat from Washington state, wants to change that.
“Technology has created incredible new opportunities, but our laws have not kept up,” she says. “So it is incumbent on Congress to make sure that our laws keep up, that we protect people’s rights in our changing world, and privacy is an important place to start.”
DelBene is seeking to address the issue with a new attempt to pass federal privacy legislation, the Information Transparency and Personal Data Control Act. It comes as more states propose and pass their own privacy laws. DelBene warns that this emerging “patchwork” of state laws threatens to deepen the country’s privacy predicament, creating confusing for consumers and businesses, and diminishing the influence of the country on the issue by presenting a divided front on the international stage.
A former Microsoft executive and startup leader, DelBene joins us to discuss the issue on this episode of the GeekWire Podcast.
Listen above, subscribe to GeekWire in any podcast app, and continue reading for edited highlights. Read one-page summary of the bill here.
Todd Bishop: It seems like this is treated largely as a contractual issue right now. Companies have privacy policies, users like us theoretically read them, and implicitly, or explicitly, consent to how our data will be used. And we all seem to be doing OK, I guess. Why does legislation in general, at any level, matter in terms of privacy?
Suzan DelBene: First, in a digital world, we’re behind when it comes to policy. We don’t have human rights and constitutional rights, civil rights, civil liberties protected in a digital world. And so policy is important in many areas. When we talk about privacy, we want to make sure that people are in control of their personal information, understand what’s happening with it.
Most of the agreements that folks see when they sign up for a service are very complicated, are hard to understand, and so people click “agree” because they don’t have time to go through 30-, 40-, 50-plus pages to read everything, or else they don’t have the chance to use that service. So what we want to see is strong legislation, clear policy, so people know what’s happening with that information, so they’re making an informed decision on whether they want to share information or not.
TB: Tell us about the Information Transparency and Personal Data Control Act. I’m looking for a snappy acronym in there, and I’m not seeing it. So what is your elevator pitch for this legislation that you’ve introduced?
DelBene: The elevator pitch is that people should be in control of their most sensitive, personal information. That we should have a consistent federal policy. That we make sure that when someone is trying to collect your data, that they have to describe that to you in plain language. That if they are collecting sensitive information, they have to get your consent before they can do that.
We need to make sure there is enforcement of a law, so this would make the Federal Trade Commission in charge of that, and that’s critical because if we have a policy and there’s no one there to enforce it, then people’s rights won’t be protected.
The law also has audits so that there would be a third-party audit of companies to make sure they’re practicing good data hygiene, and following policy. Right now you don’t know until you see a problem later. So I think audit is an important piece of this. So making sure that people are in charge of their data is critical, and clear language enforcement and audit are all key components of the legislation.
TB: The audit component is one that really stood out to me. I was talking recently with members of the Amazon Halo team. That’s the health band that right now, in fact, is monitoring my tone of voice and will give me a report later today to indicate whether I was speaking politely during this interview. So we’ll have to wait for that assessment later on, but I asked them about this because they’ve been under scrutiny for the privacy implications of the Halo device, and they insisted, “no, we’ve got the controls in place. We don’t need an outside audit to come in assure consumers that we’re following our own policies.” Why is auditing so important, and how hard will it be for companies to implement what you’re proposing in the legislation?
DelBene: Well, first of all, this is about making sure that consumers’ rights are protected, and an audit can be helpful for someone to give them feedback on whether they are following all the aspects of the law. So I think that is one key element.
But how do you know, as a consumer if your rights are protected, if an organization is following the laws that are in place? We don’t want it to be that people just find out when something goes wrong. I think one key role that audit plays is that it helps make sure that people are keeping up with policy and following the regulation. And so, especially for something new where we haven’t had strong policy, I think it’s even more important for a legislation like this.
TB: There are actually laws in Europe and California, and current legislation in Washington state. Illinois and other states are now coming up with their own bills. Is this a good thing, or a bad thing, in terms of our overall privacy, if states themselves are coming up with legislation and laws rather than the federal government on this issue?
DelBene: Well, in the absence of any federal law, consumers’ rights aren’t protected. And so it makes sense that states are moving forward given that there has not been action at the federal level. I believe we need a federal law because I think we need a strong data protections everywhere in the country.
I think a patchwork of state laws makes it harder for individuals to know what their rights are, and it makes it harder for especially small businesses to know how to comply with the law. If a user moves from one state to another, do they have to pop up a different dialog box explaining things in a different way, or change their policy? It could be extremely complicated.
So federal law is critically important. There’s two state laws now: Virginia just passed a law, California has a law, they’re different. So already with those two laws that have been enacted, or passed through, we are in a situation where we have two different policies, and you can imagine as other states move forward, like Washington State trying to pass a law, that that could make it even more complicated. So it is important that we have a federal law because it’s important that we have a strong policy so that people are protected and know what their rights are across the country.
TB: You made a pragmatic decision to not include in this legislation facial recognition, artificial intelligence. You’re trying to build the foundation before you build the rest of the house as it were.
DelBene: We can cover more ground in policy, but part of the struggle is these are complicated issues, and a lot of lawmakers don’t understand them well. And so I really think it’s important that we take an important piece like consumer data privacy and address that, and then build on it. So you can always do something that is more broad, but then that adds another layer of complexity and challenges to bring folks to the table, and we’re already behind. So my approach has been, let’s take a important area. Let’s focus on that, move legislation, and then continue to build on that.
TB: You just alluded to the fact that in many cases some of your colleagues in the House and also in the Senate, are not perhaps the most tech-savvy. I’m trying to think of the kindest way to put this. Is the difficulty in understanding these issues one of the reasons that this has not gained traction yet, writ large, and what are the other reasons?
DelBene: Well, I definitely think it’s one of the reasons. We have seen a hesitancy to move forward and address issues that have come up based on changes in the way that the world works. Everything from tax policy, and labor policy, and consumer protections were all based on models that were built long before a lot of the innovations we’ve seen today, and policy struggles to keep up.
And part of that is because lawmakers tend, like I think a lot of people do, to put off complicated issues to later, and we start to fall behind. And we’re definitely behind when it comes to issues of technology. And part of it is that folks feel uncomfortable, may not have a good understanding. So it’s been really important that we invest in educating legislators about issues of technology.
TB: Does the election of 2020 increase your chances at this point of finding a Republican sponsor perhaps, a Republican supporter, to come in and help get this bill to become a law?
DelBene: Well, I think we always have an opportunity for this issue to be a bipartisan issue. I do think the concern about trying to understand the issues and come up with the right policy has been more of inhibitor than partisanship. So there always has to be the person willing to take the first step and put something to paper, which I have, but also I’ve talked to folks on both sides of the aisle, and I think this is something where we could have strong bipartisan support.
There’s still a tendency for folks to say, I’m going to wait to see what someone else might do before I make a decision. And that’s probably the biggest barrier that we have in place. So I am working one-on-one with folks, both in the House and the Senate, to help give people the information they need, and do my best to help move policy.
TB: Many times these discussions and the debates over different privacy bills at the state or the national levels, whether here or in Europe, involvessomething called the private right of action. And this would essentially give consumers the explicit right to pursue cases themselves. I know your legislation does not include this provision. Can you explain your thinking on this, what a private right of action would do, and how your legislation approaches this general topic as an alternative to a private right of action?
DelBene: So the key issue we’re talking about is enforcement. How do we make sure there’s strong enforcement, to make sure that people’s rights are protected, and that there can be action taken against folks who are violating the law?
First of all, that’s why it’s important that we have an agency that’s in charge of that, why this bill has to provide that. That’s been a important component because we haven’t given clear authority to a part of the federal government to be the enforcement agency.
My legislation makes it the Federal Trade Commission, and we give them resources to be able to do the work that we think is necessary to do that. Also to address some concerns that folks brought in terms of the ability of states to take action, my legislation also gives power to state attorneys general, so they also can pursue enforcement, and so that there can be enforcement at the federal level, but also a role for the states.
Related: Rep. DelBene introduces federal privacy bill in latest effort to avoid ‘patchwork’ of state laws
The bills that are out there in California and Virginia either have a limited private right of action, or no private right of action. The real issue is, how do we make sure we have strong enforcement, and also make sure that we don’t overburden especially small businesses with litigation. And so we wanted to make sure there was a role for states, and make sure there’s a role for the federal government for enforcement. That’s the approach that I took in this legislation.
And we’ve already seen two states take slightly different versions, but none has a full private right of action, either. So this is one of the issues that I think are going to be important for folks to discuss the right way to do it so that we have a strong federal policy. And we wanted to make sure in my legislation that we had a strong way of letting states and the federal government play an important role.
TB: I think this next question is going to reveal why you’re in Congress and I’m not. Why not just wrap all of this into the antitrust scrutiny that’s going on of Facebook and Google and Apple, and to some extent, Amazon, and use that whole process to insert privacy requirements that would apply not just to those companies, but to the industry?
DelBene: Well, you might’ve missed the point where I said we’re trying to do something contained so we could start doing something foundational, make progress. But also remember this isn’t a tech issue alone. We talk that it’s a tech issue, but every organization is using technology, almost every organization is using technology to interact with people, interact with consumers. If you’re a retailer and you’re selling product, you’re collecting information online. So I think you should not think of it as something that is just an issue for large technology companies.
That’s why it’s so important that we address the consumer rights here, because this is a really a broad piece of consumer rights legislation that I’ve been working on. That’s the focus. And it would apply to all industries who are using technology to collect people’s information. And that’s why it’s important that we have a strong law focused in this area. There are clearly other technology issues out there. And so they’ll be approached in different ways, but this is one that is focused on consumer rights and would apply to many different types of organizations.
Podcast edited and produced by Curt Milton. Music by Daniel L.K. Caldwell.