Background
In recent years, the amount of personal information that is collected, used, shared, and sold has skyrocketed. Data-driven companies collect unprecedented amounts of personal information. This trend is only expected to accelerate. With the proper safeguards in place, the proliferation of personal information brings the promise of significant innovations that will benefit individuals, groups, and the broader society. But it also brings challenges, including the importance of providing consumers with robust privacy protections, especially people from groups that are discriminated against. Policymakers and the private sector play important roles in establishing the guardrails that allow data uses that bring lasting consumer benefits while providing consumer privacy protections aligned with AARP’s data privacy and security principles.
Federal privacy laws: In contrast to many other countries’ comprehensive privacy laws, the U.S. has a patchwork of sector-specific federal privacy laws. For example, the Health Insurance Portability and Accountability Act, known as HIPAA, is designed to protect sensitive health information from being disclosed without a patient’s consent (see also Data Privacy policy). Other federal industry-specific privacy laws include the Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act, Federal Educational Privacy Rights Act, Telephone Consumer Protection Act, and Graham-Leach-Bliley Act. The Children’s Online Privacy Protection Act protects the privacy of children under age 13.
No federal agency currently has comprehensive authority to regulate consumer privacy. The Federal Trade Commission (FTC), however, regulates unfair or deceptive acts and practices related to privacy. It requires all companies to maintain reasonable privacy and security of personal information. The FTC’s jurisdiction has been extended through regulatory and court decisions to govern companies’ collection, storage, use, and sharing of personal information. Companies and organizations must properly disclose their privacy practices to consumers ahead of time. They must give consumers notice of their data practices and have consumers consent to those practices in advance. Generally, as long as they do so, they are protected from FTC enforcement, even if the practices they engage in cause consumer harm. As a result, companies and organizations typically have lengthy privacy disclosures. However, they do not always provide consumers with a meaningful ability to control how their data may be collected, analyzed, shared, and sold.
State privacy laws: As of 2022, California, Colorado, Connecticut, Utah, and Virginia have enacted privacy laws. Some national companies are applying these consumer protection laws to consumers across the U.S.
California has one of the strongest privacy laws. It provides California consumers with control over their personal information. The statue, known as the California Consumer Privacy Act, contains many provisions similar to the European Union’s General Data Protection Regulation. It allows California consumers to review, delete, and opt out of data sharing and sale. They also have a right to correct inaccurate information. Consumers also may limit the internal uses of sensitive personal information. The California law also includes a data minimization requirement. This limits data collection, use, retention, and sharing to what is “reasonably necessary” for a product or service to work.
California now also has a dedicated privacy agency, the California Privacy Protection Agency. The agency has primary responsibility for enforcing the law. A private right of action exists only for security breaches. The creation of a single agency dedicated to protecting consumer privacy increases the likelihood that it will have the resources and expertise it needs to effectively conduct rulemaking, oversight, and enforcement.
Data brokers: Data brokers collect, collate, analyze, and sell billions of data points about consumers’ online and offline behavior. Such companies often collect information about financial, retail, recreational, and online browsing activities to create detailed profiles of individual consumers. These profiles allow data brokers to make inferences about people based on the data they collect. For example, they might infer consumer interests about potentially sensitive topics related to age, race and ethnicity, or health-related conditions.
Data brokers are mostly unregulated. As of 2022, the only regulations that exist are the California privacy law and a Vermont law requiring that data brokers register with the state. Unlike consumer reporting agencies, commonly known as credit bureaus, federal law does not require data brokers to provide consumers with access to the information they have collected about them. As a result, most consumers are unaware that data brokers exist. They also generally do not know what kind of information is being sold to other companies. Even if they do, federal law does not provide them with core privacy rights to review their personal files; decide how data may be used, shared, or sold; correct inaccuracies; or delete data.
DATA PRIVACY: Policy
DATA PRIVACY: Policy
Consumer choice and control
Consumers should control the extent to which their personal information may be collected, analyzed, shared, scraped, and sold. This includes with third parties with whom they do not have a direct relationship. Organizations (including private companies, nonprofits, and government entities) should obtain clear consumer consent when collecting, maintaining, sharing, or selling personally identifying information, unless the organization has a legal obligation not to do so. They should assess and mitigate risks to consumers of collecting, maintaining, sharing, scraping, or selling personal information.
Consumers should be able to review the information that has been collected, inferred, deduced, or created about them. They should be able to correct inaccuracies, delete data as appropriate, and decide how data may be collected and used at no cost to them. This includes online tracking information and synthetic data, which are created from other data.
Consumers should be provided with enhanced rights to prevent the collection, maintenance, sharing, and sale of their sensitive personal information, such as their health information or Social Security number.
Privacy by design
Privacy protections should be embedded into products and services. Organizations (including private companies, nonprofits, and government entities) must only collect and retain personal information that is necessary to make a product, service, or research project work. This is known as data minimization.
Protections should be updated to keep pace with changing technology and privacy standards. These protections should be developed with strong input from consumer stakeholders.
Organizations should embed privacy protections into data that are shared or purchased. Companies that make non-personally identifiable information available to other companies should contractually prohibit the reidentification of the data after it is made available. Companies collecting or purchasing and using information on consumers should be required to adhere to established privacy framework recommendations.
In particular, policymakers and the private sector should protect individuals’ personally identifiable financial information. Regulations should address the collection, use, and dissemination of such information, as well as information about consumers’ use of goods and services without prior consent.
Transparency and accountability
Organizations (including private companies, nonprofits, and government entities) should clearly communicate:
- what identified and deidentified personal information is collected, inferred, or deduced, and how it can be used, maintained, shared, or sold to others;
- whether artificial intelligence (AI) systems are applied to personal information;
- how data created from the use of AI are used, maintained, shared, or sold to others; and
- how to exercise opt-out rights.
Privacy policies should be written in plain language and disclosed before a consumer uses a product or service. They should be clear, short, and standardized.
Organizations should be required to evaluate and mitigate the privacy risks to consumers.
Privacy laws and regulations should include strong enforcement mechanisms to ensure compliance. These mechanisms include strong enforcement authority, appropriate fines and penalties, and swift compliance deadlines.
Data brokers
Policymakers should conduct oversight on data brokers to ensure transparency and accountability. Data brokers should be required to register with a regulator. Regulators should provide a publicly accessible list of data brokers and their contact information. They should also be required to take steps to ensure that their customers have a legitimate and legal basis for acquiring their data. Data brokers should also be required to meet security standards (see also this chapter’s policy related to Data Security).
Policymakers should provide consumer rights and protections related to data brokers. These include providing consumers with:
- reasonable access to their personal data,
- the ability to correct inaccurate information,
- the right to have their personal information deleted, and
- the capability to block the scraping or sale of their personal information.
These consumer rights should be easy-to-use, speedy, and provided at no cost to the consumer.
Misuse of data
Policymakers should protect against the misuse of data, including:
- stalking and harassment;
- scams and fraud, including identity theft;
- unlawful discrimination;
- erroneous or discriminatory inferences, profiles, and AI outcomes; and
- targeting consumers for products and services that are predatory, do not add value, or are fraudulent. This includes payday loans, car title loans, and home improvement scams.
This includes images, voiceprints, and other likenesses generated through the use of artificial intelligence.
Data should not be used to aid and abet illegal practices.