Speaker 0
0:10 – 0:13
Welcome to Tech Talk. Bye. CT.
Speaker 1
0:13 – 0:14
Tea.
Speaker 2
0:17 – 1:12
Hi, and welcome to CDT's Tech Talk where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Tim Hoagland, CDT's lead designer, digital strategist, and resident podcast engineer stepping up to the mic today, and I'll be sitting in for Brian. And it's time to talk tech. Despite our bit of radio silence the past few weeks, CDT has been running full speed, here since the start of the new year. One key area of focus is getting our spotlight today, CDT's draft privacy legislation. To quote our own privacy and data team's writing, for too long, Americans' data privacy has varied widely, hinging on the tech and services we use, on the companies behind them and on users' ability to navigate confusing notices and settings. It's time for change. Well, now the whole team is joining us today. Michelle Richardson, Natasha Duarte, and Joe Jerome. Welcome, guys.
Speaker 1
1:12 – 1:13
Hey, Tim.
Speaker 2
1:13 – 1:25
You. Hi. First off, thank you guys for joining. I know the lead up to our draft legislation rollout was a grind, but we're marching on. Let's set the stage a bit. Why is now the time for, privacy legislation?
Speaker 1
1:26 – 3:16
Well, let's be clear, Tim. 2018 was sort of the perfect storm of nonstop, privacy news and regulatory developments. You know, from our perspective, the number of just sort of privacy fires we had to put out was endless. Certainly, I don't need to say Facebook. Facebook's had some troubles. But even beyond Facebook, the number of big privacy making headlines was extreme. You know, we looked at mobile carriers, and random data brokers selling precise geolocation information of consumers. We quickly forget that in 2017, Equifax sort of revealed that, that companies were being very insecure with information about our our credit records and reports. So there was just a lot of big headlines that suggested that, well, we really do need some privacy controls. And then, as a practical matter and why I think, frankly, companies and lawmakers have come to the table with such, enthusiasm has been the fact that on both sides, Washington DC is being crushed with privacy regulations. In Europe, there is the general data protection regulation that has really sort of set the tone, for how companies have to protect data globally. And then, really sort of coming in as a wild card at the last minute was the state of California, which passed a bill in seven days, in summer called the California Consumer Protection Act, which set the tone for a bunch of, you know, US privacy restrictions. So this really creates an environment where Congress should step in and and have and make its say of how it should protect privacy. You know, whether now is the time or not, I think we should be we should all state upfront that CDT has been in support of a federal privacy law for twenty years now. Yeah. So the time has always been there to do it. It's just finally people are agreeing
Speaker 2
3:17 – 3:33
with us. Fantastic. Let's, shift a little bit. Why is designing meaningful, workable privacy protection so difficult? You talk about CDT having been an advocate for this for so long. The the iron is is hot for striking, but, why has it been so difficult before?
Speaker 3
3:35 – 4:07
So what we're doing here is coming up with a completely new model for protecting privacy. For for so long, the only legal, model we've had for protecting privacy has been notice and consent. So, if you care about your privacy, the idea is you're supposed to read these confusing privacy policies from every company, every website, every app you interact with, try to understand check boxes and maybe some privacy settings. So long.
Speaker 2
4:08 – 4:08
Yeah.
Speaker 1
4:09 – 4:14
Go read the CDT privacy policy. You spent time trying to make it clear. Yeah. Exactly. It's still not perfect. So that's not really privacy. Right? It Yeah. It
Speaker 3
4:18 – 5:32
privacy. Right? It Yeah. It puts an unfair burden on consumers to try to make choices that align with, what they care about. And then the prevailing wisdom is, you know, if you agreed to something and you didn't like how your data was used, it was your fault. But, really, it's impossible for, you know, any individual to understand these privacy policies and then make the choices that really align with the privacy that they want. The choices themselves are not, what individuals are actually actually choosing. They're the choices that we are given in the marketplace. Right? Companies are in control of what those choices really are. And so we needed to sort of flip the script and come up with a new model for really protecting, the privacy that people expect. And what people expect is that companies will collect some of their data to provide services and value that they want and that that data will be used to provide those services and not for a bunch of other things that people aren't expecting. And so, so the paradigm that we came up with is actually putting limits on, the repurposing and reuse of that of a lot of that data that people aren't expecting. Okay. So reuse or sale of, precise location information,
Speaker 2
5:32 – 5:44
biometric information, things like that. Okay. That's great. Let's dig in then, a little bit to some of the the meat of CDT's, draft. What are the core components of our draft bill, Michelle?
Speaker 0
5:45 – 9:35
So like Natasha said, our goal was to transfer responsibility for data from users to the companies and other people who collect and use data on a routine basis. And Right. We fairly redistribute responsibility Mhmm. For the very high stakes decisions and things that are happening on the basis of this data. Mhmm. So we, one, we did see a role for individual rights. So similar to something like California or Europe, we do have the rights for individuals to access their data, correct it, and delete it. We thought having that sort of control does enhance a person's experience and allow them to change the relationship. Right? Right now, you kinda you're in or you're out, and that's not a meaningful way to handle data. So if you change your mind, if you decide to not use a service anymore, if you find out something disturbing that you didn't understand at first, this is your chance to sort of withdraw meaningfully and not leave all your data behind for the system. We see responsibilities for data holders, and this is data security. We want entities to take reasonable efforts given their size and sophistication to, protect data, and we expect transparency out of them. And that's not just when you sign up for the product in the boxes they give you to check, but, an annual report that's gonna give the broader picture of the things they did with data in the past year. So congress, enforcement agencies, groups like ours can look at it and understand the larger ecosystem. Right? When you're going case by case, there's just no way to get the big picture. Like Natasha said, we did, create a presumption that the secondary uses for the most sensitive types of data should be prohibited. Absolutely. And for us, those are things like the price precise geolocation, the biometrics, children's data For sure. And health information. And this is just because so often the use case that we're all concerned about is that it is shared, and used in ways that you just never intended and couldn't foresee. Mhmm. And then finally, we we do direct the FTC to do some rulemaking around discriminatory practices online. And for CDT, that doesn't mean price discrimination. That means civil rights discrimination. And, you know, we have laws that prohibit discrimination in housing, education, employment. But the Internet is sort of obscuring, you know, when it's happening and how advertising is playing in it. Yeah. So we would like the FTC to just speed up, this process that we've already started of figuring out how to make sure the Internet, you know, doesn't exacerbate these problems and that, our civil rights laws make sense in 2019. Right? So, overlaying all of that, we want serious enforcement. That means, amount of money you can give the FTC to allow them to enforce something that is going to apply to everyone who collects personal information. Mhmm. And, you know, each state has their own interest. They have their own economies and their own, companies that they have a special interest in. And being closer to them, they can make more informed decisions about how to protect their citizens. Mhmm. You know, we want original finding authority so nobody gets a free bite of the apple, you know, regardless how egregious their behavior is. So that's our overview. We do think it is something a little different. Right? I think our criticism of some of the past bills is that they are really notice and consent based, and they really focus on how how do we give people more information. Mhmm. But we need to shoot past that. We need to talk about our digital civil rights. What are the things that you cannot sign away? So we're actually proud that in this bill, we don't mention consent once. None of these rights are waivable. They are yours.
Speaker 2
9:35 – 10:05
That's, a big step, I think. And and one of the the the key areas of context to remember is that this bill is meant to be, a discussion draft. It's supposed to start conversations in places that that law legislators and policymakers and stakeholders haven't been having enough conversations before. So in that vein, highlighting all of the the incredible work you guys have already just talked about, what are some of the things that need more work or the places that you think some of the hardest conversations, have yet to be had?
Speaker 3
10:06 – 11:20
Yeah. So, I'll actually first point to, our blog post, which includes a number of discussion questions, to highlight the fact that this is a discussion draft and the discussion is not over. It's a great read. I'm literally looking at it right now, and it lays this stuff out beautifully. Go ahead. Yeah. So we do think that there are there are pieces of of this, legislation that, you know, having, taken this this, stab at writing it, you know, we hope that these are useful provisions for lawmakers who are working on bills to sort of take, take pieces of that are helpful. One area, that will be really important to focus on going forward is, you know, minority and vulnerable groups bear disproportionate burden of unregulated data collection and data practices as Michelle was just talking about or practices that interfere with civil rights. Sure. And so we've included some ideas in our bill that Michelle just outlined, such as FTC rulemaking to address discriminatory advertising. But it's important that lawmakers also meet with civil rights groups to get their perspective, and we're doing everything we can to support that. Awesome. Go ahead, Jim.
Speaker 1
11:21 – 12:27
Can I just add that one of the real challenges that we've had and where I think there's room for other people to join the conversation is on things like definitions? Sure. So we have a lot of definitions in our in our proposal from things like data brokers to, basically scoping out what exactly health information is because health information is very contextual, and oftentimes, legislative proposals don't get into the nitty gritty of how that would actually work. And and so we put down our suggestions for that, but certainly, you know, they're open to feedback and, you know, and we'd welcome that type of stuff. And then, of course, the the big bugaboo, and something that we're always very interested in is how you craft preemption language. Mhmm. Preemption seems to be, unfortunately, the the sticking point and where people start with federal privacy legislation. But it's very, very hard to do. And oftentimes, both sides, either the people that absolutely want preemption or want no preemption whatsoever, miss the nuances of how difficult it can be to craft a provision that's intersecting with all sorts of existing criminal laws, consumer protection laws,
Speaker 2
12:27 – 13:39
and sectoral laws at the state level. Right. We're coming at this from a very different perspective than the EU is. Right? Privacy landscape being as fractured as it is. And there's there's lots more here in these, in this, blog that we were just talking about, free expression stuff, disclosures, portability, and more. So it's absolutely worth the read. Guys, this is covered an awful lot of territory. I know, behind the scenes, I've watched you guys, put in the hard work. Thank you so much for, for the work that you're doing, but also just for talking to me for ten minutes. Best of luck as you continue on, and thank you for joining Tech Talk. Thanks for having us. Bye. Yay. And that is it for this episode of Tech Talk. Find these episodes on SoundCloud, iTunes, and Google Play, as well as Stitcher and Tuned In. And for the very latest on what CDT is doing on federal privacy legislation, follow along online at cdt.org backslash federal dash privacy dash legislation, as well as on Twitter, Facebook Facebook, sorry, or LinkedIn. I'm Tim Hoagland. Thanks for listening.