Sensitive consumer data are everywhere, and they are vulnerable. Just this year, we learned that two billion Facebook users’ information was harvested by bad actors. Hundreds of thousands of Delta Airlines travelers’ credit card information was breached. More than 150 million consumers’ data on Under Armour’s MyFitnessPal app were compromised.
In 2018, invasions of privacy are as commonplace as turning on a smartphone or clicking on an app. They are the new normal. It is no surprise that more than 80 percent of American adults online are concerned that their personal data may be stolen.
Privacy is about the safety of your personal information. But it is also about your ownership of that information. In both respects, the rest of the world is moving forward while the United States is falling behind.
In May, Europeans began benefitting from a new set of comprehensive privacy rules, the General Data Protection Regulation, or GDPR. Under the European privacy rules, personal data belong to the consumer. Companies must meet strict requirements to use personal information, and they cannot claim to have your permission unless you’ve provided informed and unambiguous consent.
The European standard is “opt-in.” What does that mean? It means companies cannot assume they have permission to use your information. It means a pre-checked box is not adequate. It means the consumer, not the corporation, is in control.
In the European Union system, privacy is not an afterthought. Any entity that uses consumer data — websites, banks, retailers, but also universities and health care providers — must develop their systems to protect users’ privacy by design and must have appropriate security measures. The law enshrines privacy as a right for Europeans. Residents of the EU will have the right to know how their data are used, the right to access and correct their data, and the right to revoke companies’ permission to use their data.
This sweeping set of guidelines is an important step forward for EU consumers. Disappointingly, the American people are left waiting for another data breach and the next push notification about an exposure of their personal information.
The recent failures of social media giants like Facebook to protect users’ data have placed privacy front and center in our national consciousness. The American people want and deserve an online privacy bill of rights, one that institutes an opt-in standard and requires websites to describe in detail all collection, use, and sharing of consumers’ sensitive information. And Internet service providers should also secure permission to use information about what you click and what websites you visit. You should have a right to know whether they are giving that information to advertisers, and you should have the right to tell them to stop.
Now that the European privacy law has taken effect, the American people are left to wonder why they are getting second-class privacy protections. If US companies can afford to protect 500 million Europeans’ privacy, they can afford to do so for 325 million Americans, as well. The European privacy law proves that American companies can provide robust privacy protections, and we all know they should.
The era of Big Data should not be the era of Big Danger. Sadly, as the world moves forward to respond to the threats that come with the availability of troves of personal information online, the Trump administration has ceded US global leadership. In the absence of strong federal regulation, it is time for Congress to act to protect the 21st-century right to privacy. We need legislation that makes consent the law of the land. Voluntary standards will not be enough. We need rules on the books that all companies abide by that protect Americans and ensure accountability.
Democratic Senator Edward J. Markey of Massachusetts is a member of the Commerce, Science, and Transportation Committee. He has introduced a Senate resolution calling for US companies and institutions covered by the GDPR to provide Americans with privacy protections included in the European law.