Data Privacy

Background

In recent years, the amount of personal information that is collected, used, shared, and sold has skyrocketed. Virtually all companies now collect some personally identifiable information (PII). Moreover, data-driven companies collect unprecedented amounts of PII. This trend is only expected to accelerate. With the proper safeguards in place, the proliferation of personal information brings the promise of significant innovations that will benefit individuals, groups, and the broader society. But it also brings challenges, including the importance of providing consumers with robust privacy protections. Policymakers and the private sector play important roles in establishing the guardrails that allow data uses that bring lasting consumer benefits while providing consumer privacy protections aligned with AARP’s data privacy and security principles.

Federal privacy laws: In contrast to many other countries’ comprehensive privacy laws, the U.S. has a patchwork of sector-specific federal privacy laws. For example, the Health Insurance Portability and Accountability Act, known as HIPAA, is designed to protect sensitive health information from being disclosed without a patient’s consent (see also Data Privacy, Security, and Use). Other federal industry-specific privacy laws include the Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act, Federal Educational Privacy Rights Act, and Graham-Leach-Bliley Act. The Children’s Online Privacy Protection Act protects the privacy of children under age 13.

No federal agency currently has comprehensive authority to regulate consumer privacy. The Federal Trade Commission (FTC), however, regulates unfair or deceptive acts and practices related to privacy. It requires all companies to maintain reasonable privacy and security for consumers’ PII. The FTC’s jurisdiction has been extended through regulatory and court decisions to govern companies’ collection, storage, use, and sharing of PII. Companies and organizations must properly disclose their privacy practices to consumers ahead of time. They must give consumers notice of their data practices and have consumers consent to those practices in advance. Generally, as long as they do so, they are protected from FTC enforcement, even if the practices they engage in cause consumer harm. As a result, companies and organizations typically have lengthy privacy disclosures. However, they do not always provide consumers with a meaningful ability to control how their data may be collected, analyzed, shared, and sold.

Some federal and state policymakers have proposed new laws and regulations to provide consumers with greater control over their personal information. Most of these have not been enacted. California’s law is a major exception. It contains important consumer privacy protections. Some national companies are applying these consumer protections to consumers across the U.S., not just in California. As such, some privacy experts have said that as the California law continues to be implemented, it may serve as a de facto national privacy protection standard.

California Privacy Law: The California Consumer Privacy Act (CCPA) went into effect in 2020. It gives California consumers control over their personal information. CCPA contains many provisions similar to the European Union’s General Data Protection Regulation. It offers California consumers the right to review, delete, and opt out of the sale of their data. In addition, businesses can no longer require consumers to grant full use of their personal data in order to use a product or service.

In November 2020, California voters approved a ballot initiative, the Consumer Privacy Rights Act (CPRA), which will go into effect in 2023. CPRA expands on the privacy protections in CCPA. It aligns protections more closely with the European Union’s landmark General Data Protection Regulation. Increased protections include:

  • an expanded right to opt out of data-sharing, not just of data sale.
  • the right to correct inaccurate information.
  • an expanded right to limit the internal uses of sensitive personal information, not just the sale of this type of information. Such information includes data related to health, race, ethnicity, sexual orientation, precise location, and more.
  • a data-minimization requirement that limits the ability of businesses to collect, use, retain, and share information only that is “reasonably necessary” for the product or service to work.

CPRA also creates a new dedicated privacy agency, the California Privacy Protection Agency. The new agency has primary responsibility for enforcing CPRA. It may fine up to $2,500 per violation ($7,500 for intentional acts). CPRA creates a private right of action only for security breaches. Creating a single agency dedicated to protecting consumer privacy increases the likelihood that it will have the resources and expertise it needs to effectively conduct rulemaking, oversight, and enforcement.

Data brokers: Data brokers collect, collate, analyze, and sell billions of data points about consumers’ online and offline behavior. Such companies often collect information about financial, retail, recreational, and online browsing activities to create detailed profiles of individual consumers. These profiles allow data brokers to make inferences about people based on the data they collect. For example, they might infer consumer interests about potentially sensitive topics related to age, race and ethnicity, or health-related conditions.

Data brokers are mostly unregulated. As of 2020, the only regulations that exist are the new California privacy law and a Vermont law requiring that data brokers register with the state. Unlike consumer reporting agencies, commonly known as credit bureaus, federal law does not require data brokers to provide consumers with access to the information they have collected about them. As a result, most consumers are unaware that data brokers exist. They also generally do not know what kind of information is being sold to other companies. Even if they do, federal law does not provide them with core privacy rights to review their personal files; decide how data may be used, shared, or sold; correct inaccuracies; or delete data.

DATA PRIVACY: Policy

DATA PRIVACY: Policy

Consumer choice and control

Consumers should control the extent to which their personal information may be collected, analyzed, shared, and sold. This includes with third parties with whom they do not have a direct relationship. Organizations (including private companies, nonprofits, and government entities) should obtain clear consumer consent when collecting, maintaining, sharing, or selling personally identifying information, unless the organization has a legal obligation not to do so. They should assess and mitigate risks to consumers of collecting, maintaining, sharing, or selling personally identifiable information (PII).

Consumers should be able to review information that has been collected, inferred, deduced, or created about them. They should be able to correct inaccuracies, delete data as appropriate, and decide how data may be collected and used at no cost to them. This includes online tracking information and synthetic data, which are created from other data.

Consumers should be provided with enhanced rights to prevent the collection, maintenance, sharing, and sale of their sensitive personal information, such as their health information or Social Security number.

Privacy by design

Privacy protections should be embedded into products and services. Organizations (including private companies, nonprofits, and government entities) must only collect and retain such PII as is necessary to make a product, service, or research project work. This is known as data minimization.

Protections should be updated to keep pace with changing technology and privacy standards. These protections should be developed with strong input from consumer stakeholders.

Organizations should embed privacy protections into data that are shared or purchased. Companies that make non-personally identifiable information available to other companies should contractually prohibit the reidentification of the data after it is made available. Companies collecting or purchasing and using information on consumers should be required to adhere to established privacy framework recommendations.

In particular, policymakers and the private sector should protect individuals’ personally identifiable financial information. Regulations should address the collection, use, and dissemination of such information, as well as information about consumers’ use of goods and services without prior consent.

Transparency and accountability

Organizations (including private companies, nonprofits, and government entities) should clearly communicate:

  • what identified and deidentified personal information is being collected, inferred, or deduced, and how it can be used, maintained, shared, or sold to others;
  • whether artificial intelligence (AI) systems are applied to PII;
  • how data created from the use of AI are used, maintained, shared, or sold to others; and
  • how to exercise opt-out rights.

Privacy policies should be written in plain language and disclosed before a consumer uses a product or service. They should be clear, short, and standardized.

Organizations should be required to evaluate and mitigate the privacy risks to consumers.

Privacy laws and regulations should include strong enforcement mechanisms to ensure compliance. These mechanisms include strong enforcement authority, appropriate fines and penalties, and swift compliance deadlines.

Data brokers

Policymakers should conduct oversight on data brokers to ensure transparency and accountability. Data brokers should be required to register with a regulator. Regulators should provide a publicly accessible list of data brokers and their contact information. They should also be required to take steps to ensure that their customers have a legitimate and legal basis for acquiring their data. Data brokers should also be required to meet security standards.

Policymakers should provide consumer rights and protections related to data brokers. These include providing consumers with:

  • reasonable access to their personal data;
  • the ability to correct inaccurate information;
  • the right to have their personal information deleted; and
  • the capability to block the sale of their personal information.

These consumer rights should be easy-to-use, speedy, and provided at no cost to the consumer.

Misuse of data

Policymakers should protect against the misuse of data, including:

  • stalking and harassment;
  • identity theft;
  • unlawful discrimination;
  • erroneous or discriminatory inferences, profiles, and AI outcomes; and
  • targeting consumers for products and services that are predatory, do not add value, or are fraudulent. This includes payday loans, car title loans, and home improvement scams.

Data should not be used to aid and abet illegal practices.