The WSJ features an interesting debate on whether or not the US should follow Europe’s example in enacting tough privacy regulations requiring individual consent for storing and processing personal data …
Apple has already committed to rolling out the European privacy standard to its customers worldwide, and some 90% of you were in favor of the US having the same rules for all companies.
We outlined the deal with Europe’s General Data Protection Regulation (GDPR) when it came into force last month. The key requirements are:
- There must be a specific, lawful reason to process the data
- Personal data must be encrypted
- You have a right to a copy of your data
- You can ask for your data to be deleted
The first of these requirements is uncompromising.
The law sets out six acceptable reasons to hold your data. Effectively that comes down to either being able to show a reasonable basis for needing to do so (for example, in order to deliver something you have ordered), or having your consent.
When consent is the reason, the law gets very specific. For example, a company can’t add your email address to its database and then rely on offering an unsubscribe link. It must have asked your permission before storing your email. And it can’t pre-check a box and ask you to uncheck it if you want to opt out: everything has to be on an opt-in basis.
The WSJ piece has the University of Southern California’s Jonathan Taplin argues that the usa of personal data by large companies has gotten completely out of hand.
Until this moment, the biggest tech companies—Google, Facebook and Amazon—have collected personal data on more than 2.5 billion people around the globe. That may include your religious and political affiliation, sexual preference, shopping history, every location you have visited online and off line, and your favorite movies, music and TV shows […]
These developments were proceeding at light speed until the European Union started taking aim at Silicon Valley. The EU’s General Data Protection Regulation is the biggest step yet toward undoing the 20-year regime that has benefited Big Tech. I believe that the U.S. should follow the EU model and impose our own version of GDPR.
The Cato Institute’s Julian Sanchez argues that checkbox fatigue means most people will simply agree when asked to consent.
You’ve probably visited a website that, in response to existing EU rules, throws up a banner forcing you to agree to their data policies or click through pages of options before proceeding. And, if you’re like most people, you’ve honed your reflexes to click through these minor annoyances as quickly and automatically as possible.
Like antibiotics, such notices may work when used sparingly, but tend to become ineffective when deployed indiscriminately. To be sure, the GDPR has plenty of other restrictions on how data is used. But when the law demands ritual box-checking even for ubiquitous and, to most of us, unobjectionable uses of data, users are conditioned to speed through the nuisance by simply clicking “agree.”
In our own poll, 90% of you answered ‘absolutely yes’ to US companies adopting GDPR privacy standards, with a further 5% saying it would be nice. Only 2.5% were opposed.