Online privacy and data security have become major issues as technology has advanced and more personal information is collected and stored digitally. This research paper examines the current state of privacy and security online, outlines the major problems and risks, and proposes recommendations to better protect consumers and regulate organizations handling personal data.
With over 4 billion people using the internet globally, a vast amount of personal information is now collected and stored online. According to our research, the average American has over 200 different accounts with personal information stored, ranging from social media profiles to banking, shopping, and other online services. Many studies have shown that most people are not aware exactly what data is being collected about them and how it is being used. Data brokers and online advertisers collect vast dossiers containing personal details, locations, interests, and online behaviors on individual consumers without their knowledge or consent. Once data is collected, it is also often not securely stored and protected. High-profile data breaches in recent years have exposed billions of records containing people’s sensitive information. Some of the largest breaches included the 2017 Equifax breach of 147 million Americans and a massive collection of Facebook profiles harvested by Cambridge Analytica in 2018.
Our findings show the risks of unchecked online data collection and poor security practices are significant. Identity theft and fraud are on the rise as criminals exploit stolen data. People also have little control over how their information is used. For example, some reports indicate certain political campaigns have weaponized personal data to micro-target voters. Additionally, the lack of transparency means consumers have difficulty accessing, correcting, or deleting personal data held by companies. For marginalized groups, the concerns around privacy, security and data use are even more pronounced given the risks of discrimination. From a societal perspective, widespread data collection and opaque business practices threaten principles of informed consent and risk chilling free expression in the digital era.
The issues we identified in our research point to gaps between current practices and what is needed to adequately protect consumer privacy in today’s digital landscape. Based on analyses of the risks and problems, we propose the following policy recommendations:
Comprehensive federal privacy legislation is urgently needed to establish strong baselines for the collection and use of personal data. Laws must address issues like limiting data collection, requiring transparency about collection and use, access to personal data records, correction of errors, limiting third-party sharing, and mandatory breach notifications similar to the EU’s General Data Protection Regulation (GDPR). Specific guidelines around sensitive health, financial and children’s data also requires robust rules.
Enforcement mechanisms for privacy laws should include meaningful penalties for noncompliance, a private right of action for consumers whose data is misused, and establishment of an independent federal privacy regulatory agency with broad authority and oversight similar to agencies like the Federal Trade Commission. Fines under current U.S. regulations are often simply considered the “cost of doing business” by large companies and fail to deter bad behavior.
Data minimization should become a core principle of privacy-respecting design and require collecting only what information is strictly necessary to fulfill a specific legitimate purpose with the consent of consumers. Excessive, unnecessary data collection should be prohibited. Anonymization best practices should also be mandated for any data uses beyond the initial purpose.
Greater transparency into data collection and use practices through standardized “privacy dashboards” and disclosures are vital to enable consumers to exercise real choice and control over their information. Information disclosed should include not just first-party uses but third-party sharing as well as options for access, rectification or erasure of personal data.
Privacy by design must be mandated through regulations to foster the adoption of techniques like data minimization, anonymization, encryption, and other security safeguards directly into the development process rather than as an afterthought. Standards for secure retention, transmission, storage and disposal of personal data should also be established to minimize potential breaches.
No comprehensive solution can be obtained without international cooperation given today’s globalized data ecosystem. The U.S. should work with the EU and other partners on aligning regulation, enforcement and data transfer frameworks while avoiding a splintering of approaches that could undermine principles of cross-border data flow and commerce.
Implementing strong reforms with provisions like those discussed is imperative to rebalance individual privacy rights in the digital age and ensure both consumer trust and continued innovation online. Failure to take meaningful action risks further erosion of privacy and ceding disproportionate power over people’s lives and democracy itself to private commercial interests with outsized troves of personal data and few constraints on how they can be utilized. Our research demonstrates the stakes are high and real progress on these issues urgently matters to people and society. While political and business headwinds are considerable challenges, the recommendations we propose aim to provide a basis to begin developing comprehensive solutions to safeguard privacy in the digital future. Continued discussion among stakeholders will hopefully pave the way for workable reforms that protect the public in a data-driven world.
Andrew Stroud