As privacy and data security become more critical for everyone, 15 Democratic senators are introducing the Data Care Act, a bill aiming to introduce standardized methods requiring all tech pros to protect and safeguard user information.
The top Democrat on the Senate Communications, Technology, Innovation, and the Internet Subcommittee, Brian Schatz (D-Hawai’i), wrote the bill, which was co-sponsored by the 14 others. “People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them,” wrote Schatz in a blog post introducing the bill. “Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same. Our bill will help make sure that when people give online companies their information, it won’t be exploited.”
The Data Care Act is still a proposal, and has not been put to a vote yet, but we’d expect the bill (either in its current form or slightly modified) will pass into law. Here’s a breakdown of what it means for you:
Red (The Bad Stuff)
- Creates tight parameters tech pros must follow.
- It’s government oversight, and many will resist it.
- The bill may make monetization difficult.
Green (The Good Stuff)
- It all but eliminates bad actors as we know them.
- Sets a solid foundation for information security.
- Improves user confidence.
Refactor (Our Take)
If we’re being critical, the Data Care Act is a bit too ‘data privacy for dummies’ than most tech pros might like. Distilled to its purest form, the bill wants to prevent any entity that grabs user data from distributing it for gain. The bill’s language is loose; it simply states an “online service provider” can’t use the personal data of its end-users in ways that will “benefit the online service provider to the detriment of the end user,” or “would be unexpected or highly offensive to a reasonable end user.”
It’s punitive, too. If a service is found in violation of the Data Care Act, it faces mandatory civil penalties. The service must take the number of days it was in violation of the Data Care Act or the number of users affected (whichever is greater), and multiply it by “an amount not to exceed the maximum civil penalty” a company may be liable for under the Federal Trade Commission Act.
In April, Senator Amy Klobuchar (D-MN) vowed to introduce a bill to protect user data. The bill never got off the ground, but Klobuchar did sign the Data Care Act. At the time she announced her own bill, Klobuchar wrote: “The digital space can’t keep operating like the Wild Wild West at the expense of our privacy.”
This quote sticks out. Silicon Valley’s attitude toward user privacy and data security are table stakes in this fight; had companies like Facebook been more responsible with data at the outset, we could have collectively avoided this current situation.
Some of the problems the Data Care Act addresses are technological. Hackers exploit systems’ weaknesses, and the teams that build those systems simply don’t catch the loopholes before it’s too late.
But there’s also suspect intent. How many users who download those free weather apps consider that app is selling their location data to make ends meet? And does this fall into the realm of “unexpected or highly offensive”? It’s important to note the bill makes no provision for ‘anonymized’ user data.
(It’s important to note that both technological failures and dubious intent are appreciated and penalized the same way. If you miss a code exploit, you face the same financial penalty as someone who purposefully made a land-grab for user data so they could sell it to the highest bidder.)
There are good actors in Silicon Valley. Apple has taken significant steps to make sure developers and companies accessing the platforms it governs are doing the right thing. Privacy policies are mandatory, and its own services are built with strong security from the beginning. During Apple’s annual developer’s conference, WWDC, we wrote of Apple’s privacy practices: “At some point, this level of privacy will become expected, not novel.” It seems that time has come.
The Data Care Act isn’t too late, either. While Facebook and Google know a lot about us already, machine learning and in-home platforms such as Google Home will arguably provide far more insight than a website ever could. How much insight about you would an always-listening device provide a company? Likely a bit more than those same companies would obtain by following you around the web; for example, such devices would eventually learn your real-world routines and preferences, such as the television shows you liked the most.
For those in tech, the Data Care Act will cause headaches if enacted. Most companies gather some sort of data from users, and they’d have to be certain that info is safe. If they’re using a third party to safeguard user data, there will have to be assurances that company is acting in good faith. Add in the regular audits. And more staffers. And a “rainy day” fund in case there is a violation of the Data Care Act. The list goes on.
Again, we’re sure the Data Care Act (or something very much like it) will pass into law at some point, despite lobbying from Silicon Valley to let tech firms continue operating without oversight. The tech ecosystem will likely change significantly. We’re just not sure how yet.