Resilient regulation can help end the tech-consumer stalemate

The U.S. Senate Committee on Commerce, Science, and Transportation conducted, in serial fashion, two hearings on consumer data privacy.

On Sep. 26, for the “Examining Safeguards for Consumer Data Privacy” hearing, it invited executives from AT&T, Amazon, Google, Twitter, Apple and Charter Communications to testify.

On Oct. 10, for the “Consumer Privacy: Examining Lessons from the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)” hearing, the committee heard from consumer privacy advocates, including:

• the head of the Austrian Data Protection Authority;
• the chair of the European Data Protection Board;
• the chair of Californians for Consumer Privacy, which sponsored the ballot measure leading to the CCPA;
• the executive director for the Center on Privacy & Technology at Georgetown Law; and
• the president and CEO of the Center for Democracy & Technology.

Predictably, the industry representatives recommended one thing in September, and the privacy advocates called for quite another in October.

Significantly, however, the tech industry leaders were no longer protesting that industry self-regulation was sufficient and that government regulation was both unnecessary and burdensome.

At the hearing, they endorsed federal consumer privacy legislation, provided that it was less stringent than either the GDPR or the CCPA and it preempted CCPA and any other state legislation that might come down the pike. 

Two weeks later, the consumer advocates called for strong federal regulation that, while stringent, would exist in parallel with state regimes.

The two groups differed over opt-out versus opt-in. The execs wanted to track all users who do not expressly opt-out of tracking; the advocates wanted opt-out as the default, with opt-in as an act of deliberate choice.

As for users’ ability to download their personal data, industry leaders want to avoid that, whereas consumer advocates demand it. Tech executives favor terms of service that restrict users’ rights to withdraw consent to data collection; advocates support the right to withdraw any time.

Had the two groups been together in one meeting, there might have been some interesting debate. But the twain, separated by a fortnight, never did meet.

Optimists will nevertheless claim progress. Not long ago, industry railed against any regulation. In September they embraced weak federal regulation — just as long as it elbows aside stronger state laws. The truth, however, is that both sides are dug in — a little closer than in the recent past, but still far apart.

The reason for the absence of meaningful dialogue and meaningful movement is that the two sides persist in choosing the wrong adjectives. They argue over preemptive federal legislation versus state legislation. They fight over tough legislation versus soft legislation.

What they should do is discard all of these modifiers and instead embrace, together, just one type of legislation: resilient. We need privacy regulation that promotes the resilience of data privacy and security. And we need it whether we run Google and Facebook or use Google and Facebook.

Traditional models of cybersecurity are mostly about locking up and hunkering down. In contrast, digital resilience is about finding ways to stand up and do business safely.

A resilient approach to consumer data privacy would be opt-in, but it would also encourage each online platform to educate its consumers to the advantages of choosing to opt-in versus the opportunity costs of a default opt-out. The resilient approach would encourage online businesses to actively promote the benefits of opting-in.

Similarly, a resilient regulatory regime would unconditionally allow consumers to download whatever personal data the online platform has captured from them. For its part, the platform should demonstrate how highly it values that data, respects it, protects it and uses it to create greater benefit for the consumer.

Consumers need to feel that they are exchanging value for value with online platforms, not fecklessly letting their pockets get picked.

Resilient regulation must also allow consumers to withdraw consent at will. The challenge to the business is to create a value proposition so attractive that no consumer would dream of exercising the right of withdrawal. Isn’t successful marketplace competition all about creating the most attractive value proposition? Hasn’t that always been the case?

Today, safe data handling is no longer a backend IT function but an out-front product benefit. Consumers want to work with companies that safeguard their data. Instead of grudgingly adhering to regulatory rules, the resilient business promotes every step it takes to handle data securely, discreetly and respectfully.

It markets regulatory compliance as a value added that confers a competitive edge. Resilient companies educate their customers to make intelligent decisions about their privacy. These firms demonstrate that they value their customers’ data, and they show them how they leverage that value in the form of delivering better service and an improved customer experience.

They engage in a service-oriented dialogue with their customers, both current and prospective. They help them to decide how much “privacy” they want versus how much value they want to derive from the ways in which a trusted online platform may use their data.

Resilient regulation provides the context in which the most competitive businesses, those who hear and heed the voice of their customer, design their privacy policies to satisfy accordingly.

Ray Rothrock is the chairman and CEO of RedSeal, a computer and network security firm.