As Congress ponders legislation to reform “big tech,” it must view comprehensive digital privacy legislation as desperately needed civil rights legislation, because data abuses often disproportionately harm communities already bearing the brunt of other inequalities.
Harvesting and monetizing personal data whenever anyone uses social media or even vital online services has become ubiquitous, yet it shouldn’t be accepted as normal or necessary. Corporate databases are vast, interconnected, and opaque, making the movement and use of our data difficult to understand or trace. Companies use it to reach inferences about us, leading to lost opportunities for employment, credit, and more.
But those already marginalized lose even more in this predatory data ecosystem.
Data is highly personal. Where we go online or in the real world, who and how we communicate with our communities, how and when we pay for things, our faces, our voices: All these data points represent aspects of individuals’ lives that should be protected. Even when our data supposedly is stripped of “personally identifying” characteristics, companies often can reassemble our data back into information that leads right to our doorsteps.
Consider our phones and tablets — apps harvest our personal and behavioral information, which is subsequently purchased and sold by data brokers, businesses, and governments. A Muslim prayer app, for example, sold users’ geolocation data to a company which in turn gave it to defense contractors serving the U.S. military.
It’s also harder for lower-income people to avoid corporate harvesting of their data. Some lower-cost technologies collect more data than more expensive options, such as cheaper smartphones with preinstalled apps that leak data and can’t be deleted. Some companies charge customers extra to avoid surveillance; AT&T once sought $29 per month from ISP customers to avoid tracking their browsing history. And some companies require customers to pay extra for basic security features that protect them from data theft, such as Twitter’s recent plan to charge $11 per month for two-factor authentication via SMS.
Once collected, highly sensitive information about millions of people is up for sale. Despite laws against discrimination based on ethnicity, gender, and other protected characteristics — like the Fair Housing Act, for example — many corporations have used algorithms that send advertisements in these ways, targeting some vulnerable groups for disfavored treatment while excluding others from important opportunities. For example, seniors have been targeted with ads for investment scams by subprime lenders, while political ads have been targeted at minority ethnic groups in order to suppress votes.
Personal data also is used to prevent certain groups from learning about positive opportunities. ProPublica revealed in 2016 that Facebook let advertisers exclude protected racial groups from viewing their content. And one academic journal reported that women receive fewer online ads for high paying jobs than men.
Moreover, automated decision-making systems often rely on the vast reservoirs of personal data that businesses have collected from us. Banks and landlords use such systems to help decide whether to engage potential customers, employers use them to help select workers, and colleges use them to help select students. Such systems invariably discriminate against vulnerable groups, as organizations like the Greenlining Institute and the ACLU have documented. Imagine, as the Greenlining Institute has, an algorithm that uses a loan applicant’s age, income, and ZIP code to predict that borrower’s likely outcome — payment or default — according to a set of rules. But algorithms often learn their rules by first analyzing “training data” for useful patterns and relationships between variables, and if that training data is biased — perhaps showing that the lender historically gave higher interest rates to residents in a ZIP code that’s predominately Black — the algorithm learns to discriminate.
Like the private sector, government buys data and uses automated decision-making systems to help make choices about people’s lives, such as whether police should scrutinize a person or neighborhood, whether child welfare officials should investigate a home, and whether a judge should release a person who’s awaiting trial. Such systems “automate inequality,” in the words of political scientist and tech scholar Virginia Eubanks, exacerbating existing biases. There are also surveillance concerns; Twitter, Facebook, Instagram, and nine other social media platforms provided software company Geofeedia with information and location data from their users that later was used by police to identify people at Black Lives Matter protests. There is a data privacy solution to this civil rights problem: prohibit businesses from collecting faceprints from anyone, without previously obtaining their voluntary, informed, opt-in consent. This must include consent to use someone’s face (or a similar identifier like a tattoo) in training data for algorithms.
Addressing Overcollection and Retention of Personal Data
Part of the solution is to drain the data reservoirs on which these systems feed by passing laws to limit how businesses collect our data in the first place. Collecting and storing massive quantities of personal information also creates the risk that corporate employees will abuse the data in ways that violate civil rights. For example, 52 Facebook employees were fired for exploiting access to user data; one used the company’s repository of private Messenger conversations, location data, and personal photographs to probe why a woman he dated had stopped replying to his messages.
And overcollection amplifies the harm caused by data breaches, which disproportionately impact lower-income people. Data theft can lead to identity theft, ransomware attacks, and unwanted spam, so victims must spend time and money to freeze and unfreeze their credit reports, to monitor their credit, and to obtain identity theft prevention services. Such costs are more burdensome for low-income and marginalized communities.
Comprehensive federal consumer data privacy must include several must-have provisions.
First, no pre-emption. Federal privacy law must be a floor and not a ceiling; states must be free to enact privacy laws that are stronger than the federal baseline, and to meet the challenges of tomorrow that are not foreseeable today. California, Colorado, Connecticut, Utah, and Virginia, for example, have passed laws in the past few years, demonstrating state legislators’ commitment to protect their constituents’ data privacy. A federal law must not drag them backward.
Second, strong enforcement requires that people have a private right of action to sue the corporations that violate their statutory privacy rights. Remedies must include liquidated damages, injunctive and declaratory relief, and attorney fees. People must be able to bring their claim to a judge, and not be forced into the kangaroo court of forced arbitration.
Third, a comprehensive federal data privacy law must include strong minimization, prohibiting companies from processing a person’s data except as strictly necessary to provide them what they asked for.
Fourth, the law must prohibit companies from processing a person’s data, except with their informed, voluntary, specific, opt-in consent.
Fifth, the law can’t allow pay-for-privacy schemes. When a person declines to waive their privacy rights, companies must be prohibited from refusing to do business with them, charging a higher price, or providing lower quality. Otherwise, privacy will be a commodity that only the wealthy can afford. This safeguard is necessary to ensure that “consent” is truly voluntary.
Sixth, the law must ban deceptive design. Companies must be prohibited from presenting people with user interfaces (sometimes called “dark patterns”) that have the intent or substantial effect of impairing autonomy and choice. This protection is also necessary to ensure that consent is genuine.
And seventh, the law must ban online behavioral ads. Companies must be prohibited from targeting ads to a person based on their online behavior. These ads are especially dangerous because they incentivize all businesses to harvest as much consumer data as possible, either to use it to target ads or to sell it to someone who will.
Some signs of progress
Sometimes the news pushes progress. Since the U.S. Supreme Court’s decision last year in Dobbs v. Jackson Women’s Health Organization ended the protection for abortion rights that had existed for half a century under Roe v. Wade, reproductive health has become a digital rights attack vector. This is especially dangerous for BIPOC, lower-income, immigrant, and LGBTQ+ people, as well as healthcare providers serving them. The My Body, My Data Act — expected to be reintroduced in Congress this year — would create a new national standard to protect personal reproductive health data, minimizing its collection and retention while creating a private right of action for violations and a non-preemption clause to protect stricter state statutes. And in California, AB 793 would protect safe access to reproductive and gender-affirming care by prohibiting “reverse warrants,” in which law enforcement requests identities of people whose digital data shows they’ve spent time near an abortion clinic or searched online for information about certain types of health care — a digital surveillance dragnet that lets bounty hunters and anti-choice prosecutors target these people.
But legislating to protect a specific set of vulnerable people is no substitute for comprehensive reform that protects all vulnerable people. Left unchecked, data privacy abuses affecting us all will grow more numerous and onerous, and disproportionate impacts upon the marginalized will widen.
Without a strong comprehensive data privacy law, America simply can’t have “liberty and justice for all.”