Lawmakers Weigh Idea Of Wading Into Data Privacy
Personal information security legislation pending on Beacon Hill targets a common feature of internet life: the “click-to-agree” privacy policies and terms of use pages that pop up, requiring a user’s consent to often lengthy explanations and disclaimers before they can proceed.
“Who reads them? Nobody,” Rep. Dave Rogers said. “No one, but we want to be on Facebook or we want to be on countless other things, so we just click ‘OK.'”
Rogers said legislation he filed with Rep. Andy Vargas and Sen. Cindy Creem, dubbed the Massachusetts Information Privacy Act, would create “bright line rules” around consent and notice for the collection of data and establish clearer standards around how companies collecting that data can use it.
The bill (S 46, H 142) and others related to data security are before the Legislature’s Committee on Advanced Information Technology, the Internet and Cybersecurity. Sen. Barry Finegold, who chairs the panel with Rep. Linda Dean Campbell, said he expects data privacy to be a “top priority” for the committee, which was newly created this legislative session.
Creem called for lawmakers to step in to ensure that individuals are treated “as the owner of their own data.”
“Currently, individuals have little power to access, delete or prevent the sale of our data,” she said. “We practically have no power. We need more rights to control our personal data and how it is used by third parties.”
The bill Creem filed with Vargas and Rogers, which is backed by the ACLU of Massachusetts, would impose specific protections on the collection of biometric or location information, including a ban on selling that information, and aims to prevent companies from discriminating based on people’s personal information. It would also create a new Massachusetts Information Privacy Commission to create and enforce privacy regulations, and would allow individuals to bring civil actions for alleged privacy violations.
The Retailers Association of Massachusetts strongly opposes including a private right of action, RAM general counsel Ryan Kearney told the committee.
Kearney said the bill would impose “costly and unworkable requirements” on retail businesses, which collect consumer data for functions like sales, deliveries, returns and loyalty programs. He said retailers could face new expenses to change their policies, invest in new technology, and train and hire staff.
Critics of the state-level data privacy bills said the issue is one best left for the federal government, and said that any new measures pursued should seek to address specific problems.
“The last thing that we really want is a patchwork of 50 different standards that would result in uneven distribution of rights as well as severe compliance costs,” said Chris Gilrein of TechNet, which describes itself as a “national, bipartisan network of technology CEOs and senior executives that promotes the growth of the innovation economy.”
Campbell asked TechNet to submit to the committee any examples of legislation from states it feels are handling the issues in the best way.
The ACLU says that the bill proposed by Creem, Vargas and Rogers blends lessons from approaches used in jurisdictions including California, Illinois and the European Union.
“Without a modern data privacy law, corporations have free rein to track our locations and activities, secretly manipulate our opportunities and choices, and take advantage of our personal information for their own profit,” Kade Crockford, Technology for Liberty program director at the ACLU of Massachusetts, said in a statement. “Bay Staters should not have to choose between using the internet and their privacy.”
