The US government is proposing to clamp down on data brokers who sell sensitive personal data, such as income, payment history, and health conditions.
Two government agencies have now put forward proposals for regulations to place limits on what is currently the privacy equivalent of the Wild West …
Privacy laws elsewhere
Europe and many other countries and regions of the world have tough privacy laws, which govern how much personal data can be gathered, and how it can be used and shared.
For example, we’ve previously summarized the four main protections offered under Europe’s GDPR privacy law when discussing how Apple was impacted.
- There must be a specific, lawful reason to process the data
The law sets out six acceptable reasons to hold your data. Effectively that comes down to either being able to show a reasonable basis for needing to do so (for example, in order to deliver something you have ordered), or having your consent.
When consent is the reason, the law gets very specific. For example, a company can’t add your email address to its database and then rely on offering an unsubscribe link. It must have asked your permission before storing your email. And it can’t pre-check a box and ask you to uncheck it if you want to opt out: Everything has to be on an opt-in basis.
- Personal data must be encrypted
Even where you have agreed to allow a company to store your personal data, that data must be stored in either an anonymized or encrypted form. This is to ensure that, if the company is hacked, your data is still safe. Also, anyone within the company accessing your data must have a lawful reason to do so.
- You have a right to a copy of your data
You have a right to see all the data a company holds on you. No charge can be made for releasing this data.
- You can ask for your data to be deleted
Provided that there is no compelling reason for your personal data to be retained (for example, you have an active bank account or ongoing loan with a company), you can insist that all your data is permanently deleted.
But data brokers face few controls in the US
Some states – led by California – have implemented similar privacy laws, but there is almost no protection at a federal level.
It’s like the Wild West out there, especially when it comes to capturing and analyzing location data for all kinds of terrifying reasons – which can then be freely sold to anyone who wants to but it.
While the companies involved in this $14B industry claim that only aggregated and anonymized data is sold, numerous investigations have shown that this simply isn’t true.
Just yesterday, we learned that the Federal Trade Commission (FTC) is suing a data broker that can identify people seeking abortions, and that it made samples of that data publicly available. In the past, we’ve seen how location data can reveal everything from where cops’ kids go to school to US troop movements in war zones.
Two US agencies want to change this
The FTC last year said that it was time for this to change, and CNN reports that the Consumer Financial Protection Bureau (CFPB) is now echoing this.
The US government plans to rein in the vast data broker industry with new, privacy-focused regulations that aim to safeguard millions of Americans’ personal information […]
“Reports about monetization of sensitive information — everything from the financial details of members of the U.S. military to lists of specific people experiencing dementia — are particularly worrisome when data is powering ‘artificial intelligence’ and other automated decision-making about our lives,” CFPB Director Rohit Chopra said in a statement. “The CFPB will be taking steps to ensure that modern-day data brokers in the surveillance industry know that they cannot engage in illegal collection and sharing of our data.”
Right now, it’s in a consultation phase with small businesses, but if you want to see it happen, you might want to write to your elected representatives to seek their support.
Photo: Alexander Grey/Unsplash
FTC: We use income earning auto affiliate links. More.
Comments