Protecting privacy online becoming a matter for Congress

The principle that must undergird any framework is relatively straightforward: Consumers should have more control over how companies collect, use, share and sell their data. How to put that principle into practice is not straightforward at all.

“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” Facebook chief executive Mark Zuckerberg told users after this year’s Cambridge Analytica scandal.

Judging by the company’s announcement Friday of a breach that exposed the information of almost 50 million users, Facebook is failing its own test. That reality is even more reason for federal lawmakers to take care as they consider a regulatory framework to govern how Internet providers and platforms handle users’ data.

Representatives from some of Facebook’s fellow top technology and communications firms testified Sept. 25 before a Senate committee, where the companies claimed they are ready and willing to be regulated. This is not as surprising as it may sound. The increased appetite for federal privacy legislation comes months after California passed its own data protection law. Working with Congress may help firms pre-empt state action with rules that are friendlier to industry.

There’s good reason for Congress to act. Addressing privacy in the digital age will involve much more than increased security and notification requirements for breaches such as the one Facebook disclosed Friday, though both are crucial. Leaving the issue to states could lead to a confusing patchwork of regulations; in many cases, conforming to one locality’s laws might put a firm on the wrong side of another’s. But if Congress does take on data protection, it must make sure its regime is more than a get-out-of-jail-free card for companies seeking to avoid stricter regulation.

The principle that must undergird any framework is relatively straightforward: Consumers should have more control over how companies collect, use, share and sell their data. How to put that principle into practice is not straightforward at all.

To start, lawmakers must establish a definition of “personal information” that encompasses users’ characteristics and the inferences companies draw from their behavior online. Legislators must also decide whether consumers consent to the collection and sale of their data on an opt-out or opt-in basis, perhaps differentiating based on the sensitivity of the information. They must mandate that consent be meaningful: Companies should tell consumers clearly and concisely what data they are gathering for what purpose — and then use it for the purpose they promised.

All the while, lawmakers must make their standards and definitions as clear and simple as possible for companies to comply with. They should be mindful that regulation can often serve to entrench the most powerful firms, at the expense of innovative start-ups. And they must give the Federal Communications Commission and the Federal Trade Commission the resources and authority to implement the rules.

Building a robust internet privacy regime from scratch is not easy. Doing it right will require aid from subject experts — perhaps in the form of an authorized commission — as well as the participation of consumer advocates, who were not included in Tuesday’s hearing. Doing it wrong would leave the millions of Americans who use the Internet every day at risk.

— WASHINGTON POST