IAPP Opinion Piece on Lessons Learned from the GDPR and CCPA for Congress

October 22, 2018 — by Daniel Sepulveda    

This piece originally appears on the International Association of Privacy Professionals (IAPP) website. 

The United States Senate Commerce Committee, as part of a series of public hearings it is holding on privacy, heard the call for a new national data protection and privacy law from industry a few weeks ago. It heard it again more recently from privacy advocates.

The conversation now is about the shape that law should take.

To inform that goal, the Committee’s hearing with consumer advocates examined lessons learned from the EU General Data Protection Regulation and the new California Consumer Privacy Act. These laws constitute a sincere effort on the part of policymakers to empower consumers and update law for the digital age. We support that effort and welcome the conversation, hard thinking, and debate that these new laws have engendered around the world. It is a good and just cause.

Respectfully, however, we believe that building on those laws, iterating on those ideas, taking what’s good, and redesigning the rest, Congress can do better by consumers and the digital economy. New law should ensure that the consumer has a right to fair treatment and legal protection from unreasonable data practices. She should know and control who in the ecosystem gets access to her data, the volume of data they hold, and the way they use and distribute that data. Law and self-regulation should not leave consumers to their own devices in a complex marketplace for data. What the GDPR and CCPA have gotten right is the need to place the consumer at the center of the digital ecosystem. Now, we need legislators to support the Federal Trade Commission with the power and resources to enforce consumer rights in the digital age.

But both the GDPR and CCPA have in their construct either left some problematic ambiguity or built some rules on mistaken assumptions that Congress should consider and correct in the construction of new U.S. federal legislation.

The free-rider challenge

In the GDPR and CCPA, there is a central question for the providers of advertising-supported services as to what they can or should do if a consumer chooses to reject behavioral advertising. Both the GDPR and CCPA argue that a consumer opposed to interest-based advertising should suffer no penalty as a result of that decision. The outstanding question is what constitutes a penalty and whether or not the consumer should be allowed to use the service without payment.

The CCPA posits that a service provider cannot deny a service on the basis of a consent choice—but it can make up the monetization lost through some other form of compensation. Interpretation of the GDPR and the construction of Europe’s draft ePrivacy Regulation have not made the European definition of penalty clear yet.

The CCPA concept is good in the sense that it recognizes that the provision of services is not free and that service providers have a right to require some form of compensation if they cannot monetize through advertising. But by stating that the service provider can only charge in an amount equal to that of the data lost, the CCPA creates a form of rate regulation that will be tough to understand, quantify, and police. Further, unless the service is a necessary utility, the service provider should not be forced to provide services to anyone. While access to the internet may be considered a utility, necessity, or human right, it is not true that access to all the services made available over the Internet falls into that category as well.

Read the rest of the article on the IAPP website here.