The Facebook Debacle Proves It’s High Time for Stronger Privacy Laws
In the wake of the Facebook-Cambridge Analytica debacle, we’re hearing a lot of new and interesting ideas about how to solve the so-called Facebook problem: Let’s classify Facebook as a monopoly and break it up. Let’s declare it a public utility and regulate it like electricity or phone service. Let’s force Facebook to reveal exactly how its algorithm works so there’s greater transparency and accountability.
Jessica Rich is the vice president of advocacy for Consumer Reports and served as the director of the Federal Trade Commission’s Bureau of Consumer Protection from 2013 to 2017.
The ease with which Cambridge Analytica was able to harvest and exploit Facebook user data is indeed highly disturbing. However, some context and pragmatism are in order. First, Facebook is hardly the only company that develops detailed profiles about consumers and uses them—or allows them to be used—for commercial and political targeting. This has been going on for years, across a multitude of industries. The current scandal merely pulled back the curtain on a common practice that industry doesn’t like to talk about.
Second, the ability of companies to collect, combine, infer, and sell the kind of detailed information that Cambridge Analytica stockpiled has rapidly expanded while Congress has stood idly by and let it happen—if not enabled it. For more than 20 years, many of us who champion consumers have urged Congress to pass a federal law establishing basic privacy rules that all companies must follow, and that all Americans can count on. With each attempt, industry has objected and Congress has retreated, even recently eliminating the federal rules governing broadband privacy.
Today, even as countries across the globe are strengthening their privacy laws to meet the challenges and threats of the digital era, the US remains one of the only countries in the Western world that still lacks even the most basic rules to protect the privacy of its citizens.
Rather than getting caught up in the shock and outrage about Cambridge Analytica, or dreaming up new and creative solutions to clip Facebook’s (and only Facebook’s) wings, let’s focus more broadly on what is one of today’s most important consumer protection issues and finally do what’s been needed for over 20 years: pass a privacy law that gives all consumers the fundamental protections they deserve across the marketplace. This whole mess happened because in the US, the wholesale collection, use, and sharing of data with third parties is largely unregulated, uncontrolled, and conducted in secret.
The consumer harm goes much further than the now-87 million people deceived in this one Facebook incident. It applies to every American who goes online, uses a smartphone, drives in a smart car, uses a smart watch, or relies on other products that may lack the safeguards needed to protect users’ private information and personal security.
Each day, connected devices track our location, our online searches, the friends we contact, the things we buy, and even what we say in the privacy of our homes. Each day, thousands of data brokers sell information about our finances, politics, religion, race, and personal habits to anyone willing to buy it, including scam artists that use the information to trick and defraud us. Medical websites are largely free to sell our private searches about cancer, Alzheimer’s disease, and depression to the highest bidder. And companies are increasingly using data to charge different consumers different prices—including, as Consumer Reports and ProPublica found last year, higher auto insurance prices to consumers living in minority neighborhoods.
And Facebook is hardly the only company guilty of recklessly handling consumers’ personal information. During the last decade, consumers have been victimized by hundreds of data breaches at companies that profit handsomely from consumer data but fail to protect it, including last year’s massive breach at Equifax. It’s not surprising that, last year, nearly 17 million Americans lost $17 billion to identity theft.
This is an issue of personal security and safety. Just as we needed safety laws for seat belts and cigarettes, we need common-sense laws for online privacy.
Here’s a good place to start. Let’s require companies to post clear information about their data practices—no, not buried in privacy policies or Terms of Service, but prominently displayed in a simple, easy-to-understand, and standardized “dashboard” so consumers can compare companies’ practices. Let’s give consumers an easy, consistent way to say ‘yes’ or ‘no’ to data uses that go beyond the reason they provided it, and ‘yes’ or ‘no’ to having their data shared with third parties like Cambridge Analytica.
Among other things, we need to vastly simplify and standardize the permissions structure that many tech companies use today, which is often misleading and always confusing. Let’s prohibit certain uses of data altogether, like using information about our medical conditions or treatments for marketing. Let’s require companies to secure the consumer data they collect and the devices they sell. And let’s give the Federal Trade Commission—or another agency, if the FTC can’t do it—the strong authority and resources it needs for robust enforcement, including the ability to levy sizable fines for violations.
For too long, companies have profited from consumer data without giving the owners of that data—consumers—the rights, protections, and clear information they deserve. For too long, companies have fostered the specious narrative that collecting and selling consumer data is completely “harmless” because its sole purpose it to tailor advertising and marketing to an individual consumer’s preferences. It’s time to address the real problem by establishing strong standards and accountability—not just for Facebook, but for all companies that collect, use, and profit from our personal information.
WIRED Opinion publishes pieces written by outside contributors and represents a wide range of viewpoints. Read more opinions here.