Consumer privacy pitfalls for the new Congress to avoid

The new Congress currently taking shape will face many of the same data privacy questions as the last. Americans deserve to know that their information is secure, but when it comes to certain proposals that would apply to our voluntary interactions with private firms, things aren’t quite so clear. As I detail in a new Mercatus Center at George Mason University study, we must strike a balance between protecting consumer privacy and a reasonable use of data.

Some proposed policies, such as the American Data Privacy and Protection Act (HR 8152), are similar to certain state laws or Europe’s General Data Protection Regulation (GDPR) and are likely to have significant unintended consequences, such as reducing mutually beneficial online exchanges. Good privacy legislation should interfere as little as possible with one of the fundamental drivers of today’s digital economy: exchanges of data for online goods and services.

Everyone with access to a computer or smartphone can obtain an enormous variety of valuable services in exchange for data. The digital platforms that provide those services are in business because they expect to earn a profit on their investment, which depends on their ability to collect data that they can monetize, often through targeted advertising. Take away this option, and many services go away.

U.S. privacy policy is largely based on notice and consent. When we go online, we can be almost overwhelmed by privacy policies forcing us to opt in or opt out of data collection and processing. After consenting, consumers cannot be sure what will happen to their data, but notices provided by online firms are useful in helping decide whether to do business with them. However, this can go too far.

Laws requiring firms to seek user consent for collecting data that is merely used to better serve customers or for purposes users should expect, such as targeted advertising, add unnecessary costs to online transactions. The Uniform Law Commission, a nonprofit focused on bringing “clarity and stability to critical areas of state statutory law,” recommends that for compatible data practices such as these, firms should not be required to obtain explicit consent as long as users are notified. Riskier data practices should be more heavily regulated.

Europe’s expansive GDPR and a few state laws include provisions enabling consumers to opt out of data collection and prohibiting firms from treating consumers differently if they opt out. If firms must provide the same services regardless of whether they can use a consumer’s data or not, fewer consumers will make their data available, reducing the earnings of online firms. The result will be fewer of the goods and services for which most consumers are willing to trade relatively benign data, such as information about their hobbies and buying habits.

Of course, internet users have legitimate concerns about their data being used by firms in harmful ways. It is appropriate to expect firms that collect our data to exercise great care in how they use it and who they share it with. But internet platform users should not be surprised if a firm that provides them with a tangible online service intends to profit from the related data. The law should at least permit such arrangements, albeit with restrictions that penalize uses of data that harm the consumer and prohibit sharing of sensitive data, such as social security or credit card numbers.

Regulations such as the GDPR impose other costly requirements. The GDPR requires such firms to conduct data impact assessments and employ a data privacy officer. It makes it harder for firms to sell users’ information to other firms. Although consumers should be able to find out if their personal data is sold to be processed or used by third parties, rules that limit or raise the costs of such exchanges will tend to favor large, vertically integrated online platforms, such as Google and Facebook, and make it hard for small or startup firms to compete with them and perhaps offer something better or more innovative.

To preserve a dynamic economy and encourage America’s market-leading innovation, U.S. privacy legislation and regulation should protect consumers while imposing only necessary costs on firms. Mutually beneficial information exchanges should be permitted. To address privacy harm that may occur after data has been collected, courts can and should hold data controllers liable for damages, and give firms an incentive to be careful with what they do with the personal information they collect.

If we don’t recognize the trade-offs that come with the information economy, we may lose some of it.

Tracy C. Miller is a senior policy research fellow with the Mercatus Center at George Mason University and author of a new study on balancing privacy and information sharing in the digital economy.