Speaker 0
0:00 – 6:40
Hello, I'm Ryan Cook and this is Civic Tech Chat, a podcast about the civic technology movement. We seek to harness the power technology has to improve the delivery of public services to people everywhere. Welcome back to Civic Tech Chat. We made it almost one year here at the program, and we have you to thank for that. Thank you for your support, encouragement, and continued listening. If you'd like to give us your thoughts on what we're doing here, head on over to civictech.chat. There, you can click on the give feedback link. We read all the submissions, and we'll use what you send us to make this show better. For episode 26, we'll be focusing on Internet privacy. We're going to talk about what it is, why it's important, how things stand in The US, and cover a bit about a California law set to go into effect next year. So what do we mean by Internet privacy? Simply put, this term describes the rights you have in the context of information about you that's stored, used, sold, or displayed on the Internet. This data can include the sites you browse, the things you buy, the places you've been, or even those like buttons you've clicked. Being aware of your privacy in this context is important because the tools you use every day likely collect information about you. Companies like Google, Facebook, Twitter, and others all keep tabs on what you're doing to some degree. Their very business model means they have an interest in the searches you do, the interest you have on social media, as well as the emails and messages you send. All of this data fuels advertising, learning algorithms, and other data profiling activities. In The United States, we have an increasingly lax regulatory setup. In March 2017, the US Congress passed a measure that repealed Obama era privacy protections. These rules required Internet service providers or ISPs to get permission from consumers before sharing personal information, including location data. Proponents of the measure explain that this repeal merely puts ISPs on the same playing field as companies like Google, Facebook, and others. Ostensibly, this leaves us with the Federal Trade Commission or the FTC as the agency to look for investigations and enforcement. FTC commissioner Noah Joshua Phillips seems to favor a narrower approach. To them, the risk based approach that The US currently uses is most appropriate. In context, this means placing the greatest burden where the legislature decides the greatest privacy need lies. An example of that where this would apply is the health care industry. The FTC commissioner is also noted as having voiced concern over legislation like Europe's General Data Protection Regulation or GDPR. To the commissioner, these laws are too wide in their breadth. All of this said, state legislators have been moving to act in lieu of the federal government. One state to do so is California. The California Consumer Privacy Act of 2018 was signed into law by governor Jerry Brown June. At a high level, this legislation seeks to allow folks to know what's being collected about them, why it's being collected, and who it's being shared with. The specific rights granted to Californians in this legislation are rather interesting. It allows them to opt out of allowing their information being sold. It allows requesting a copy of the data being collected as much as twice in a twelve month period. Perhaps more important, it requires companies to comply with such requests without discriminating against the consumers making them. These organizations are prevented from charging you a different price or offering you goods and services at a different quality level. That said, there are exceptions to this. If, for example, the data collection relates directly to the quality of service being provided. Additionally, companies can offer financial incentives, including payouts as compensation for data use. Though these incentives are not meant to be, in the legislation words, unjust, unreasonable, coercive, or usurious in nature. The law also has provisions allowing folks to request information about them to be deleted. Though, again, there are some exceptions, and those might be complying with legal obligations, detecting security incidents or breaches, protecting the exercise of free speech, say, of other users, completing an action the day was specifically collected for, or compliance with other California laws that are noted in the legislation. While comprehensive, the law isn't quite at the level of something like Europe's GDPR. For instance, the GDPR allows for fines topping $46,000,000. The California law, on the other hand, tops out damages at $750 per person, as well as $7,500 per violation that's tied to an organization. Additionally, it doesn't provide a time requirement for notifying consumers of a security breach, which again, the GDPR does. Let's also remember that this is a California law, meaning it protects folks that live in that state specifically. Granted, there are things that companies will need to do that to comply that will likely benefit us all and likely in the world of making software changes, they wouldn't necessarily make specifically just for Californians. But it will still be possible for organizations to refuse requests for deletion or retrieval, well, based on where they live. I suppose, though, we'll have to see what happens in 2020. It's going to be an interesting year ahead as organizations race to be compliant with this new law. But what do you think? Should The US have a legal framework like Europe's GDPR or this California law? Let us know by tweeting us at civic tech chat or emailing us using info@civictechchat. You can follow us on Twitter using the handle at civic tech chat, visit us on the web at civictech.chat, or subscribe to us for content updates wherever it is you download your podcasts.