This afternoon I spoke at a press conference in NYC to support Sen. Gillibrand’s new bill to create a new federal agency specifically devoted toward protecting privacy, called the Data Protection Agency. The bill is posted here; more about it is here.
The statement I gave is below; and below that is the press release, with quotes from Sen. Gillibrand and the other two privacy experts pictured above, Caitriona Fitzgerald of EPIC and Prof. Ezra Waldman of NY Law School.
Hi, my name is Leonie Haimson, and I’m co-founder and co-chair of the Parent Coalition for Student Privacy. We are one of the many organizations that have submitted complaints to the FTC about the way companies like Facebook, Google and Google Play Apps have been illegally harvesting young children’s information and potentially using it for commercial purposes without parental consent in violation of COPPA. And yet the FTC’s response to these complaints has been silence, or at best a mere slap on the wrist, a symbolic fine that barely touches the huge profits of these companies.
In addition, the FTC has put out a series of contradictory guidance documents about how COPPA applies to the collection of personal data from children in schools that has managed to confuse nearly everyone. As a result, each school and district interprets their responsibilities differently about whether or not they even inform parents beforehand, no less ask for their consent, . when their children are assigned programs to use that require them to upload their personal information.
For example, Google Apps for Education, also called G-suite, is used in literally tens of thousands of schools across the country; and yet many parents are concerned about the amount of personal data Google collects from their children, including their geolocation and metadata, and how this information may be abused.
More recently, the FTC has signaled that they may be rewriting regulations for COPPA regulations to further weaken student privacy, in and out of the classroom, causing us to worry that they are more interested in serving the commercial interests of the ed tech industry instead of keeping our children safe from commercial exploitation. We are also extremely concerned about the non-transparent algorithms increasingly being used in classrooms across the country to direct children’s learning and steer their educational trajectories – algorithms that may feature inherent biases and be based on inaccurate data.
All this further reconfirms our conviction that it is absolutely necessary that an independent agency be established that has as its first priority protecting the privacy of Americans, especially our most vulnerable children, and which can look into these troubling issues with more objectivity and care. Thank you Senator Gillibrand, for introducing the Data Protection Act, and our Parent Coalition is committed to doing all we can to help get it passed.
From: Gillibrand, Press (Gillibrand) <Press_Gillibrand@gillibrand.senate.gov>
Sent: Sunday, February 23, 2020 1:59 PM
Subject: STANDING WITH DATA PRIVACY EXPERTS AND ADVOCATES, GILLIBRAND ANNOUNCES LANDMARK LEGISLATION TO CREATE A DATA PROTECTION AGENCY TO COMBAT NATIONAL DATA PRIVACY CRISIS
FOR IMMEDIATE RELEASE:
Sunday, February 23, 2020
Contact: Evan Lukaske, 202-224-3873
STANDING WITH DATA PRIVACY EXPERTS AND ADVOCATES, GILLIBRAND ANNOUNCES LANDMARK LEGISLATION TO CREATE A DATA PROTECTION AGENCY TO COMBAT NATIONAL DATA PRIVACY CRISIS
The Data Protection Act Would Create a Consumer Watchdog to Give Americans Control and Protection of Their Data, Promote a Competitive Digital Marketplace, and Prepare the U.S. for the Digital Age
U.S. Still One of the Only Democracies Without a Data Protection Agency
New York, NY — Alongside data privacy experts and advocates, U.S. Senator Kirsten Gillibrand today announced her landmark legislation, the Data Protection Act, which would create the Data Protection Agency (DPA), an independent federal agency that would protect Americans’ data, safeguard their privacy, and ensure data practices are fair and transparent. The push for a national agency to oversee data privacy comes as leaders from EPIC, the Parent Coalition for Student Privacy, the New York Law School’s Innovation Center for Law and Technology and Institute for CyberSafety, and more express concern for the growing data privacy crisis that looms over the everyday lives of Americans. The U.S. is one of the only democracies, and the only member of the Organization for Economic Co-operation and Development (OECD), without a federal data protection agency.
“Technology is connecting us in new significant ways, and our society must be equipped for both the challenges and opportunities of a transition to the digital age. Data privacy is becoming an urgent concern for the everyday lives of Americans and the government has a responsibility to step forward and give them meaningful protection over their data and how it’s being used,” said Senator Gillibrand. “Data has been called ‘the new oil.’ Companies are rushing to explore and refine it, ignoring regulations, putting profits above responsibility, and treating consumers as little more than dollar signs. Like the oil boom, little thought is being given to the long-term consequences. The U.S. needs a new approach to privacy and data protection. We cannot allow our freedoms to be trampled over by private companies that value profits over people, and the Data Protection Agency would do that with expertise and resources to create and meaningfully enforce data protection rules and digital rights.”
“EPIC applauds Senator Gillibrand for filing the Data Protection Act,” said Caitriona Fitzgerald, EPIC Policy Director. “The United States confronts a crisis. The Federal Trade Commission has consistently failed to protect consumers. The system is broken. A Data Protection Agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges is needed now.”
“It is absolutely necessary that an independent agency be established that has as its first priority protecting the privacy of Americans, especially our most vulnerable children, and which can look into these troubling issues with more objectivity and care. Thank you Senator Gillibrand, for introducing the Data Protection Act, and our Parent Coalition is committed to doing all we can to help get it passed” said Founder of Parent Coalition for Student Privacy Leonie Haimson.
“Privacy is a civil right, not a good to be traded in the market. The FTC has tried, but it has overseen the erosion of personal privacy with the lightest of light regulatory touches. It is structurally incapable or unwilling to do what needs to be done to protect privacy from companies that will do anything to extract our data. Along with other proposals from Senate Democrats, Senator Gillibrand’s Data Protection Agency is necessary to empower individuals in the digital economy” said Ari Ezra Waldman, Director of the Innovation Center for Law and Technology at New York Law School and Founder and Director of the Institute for CyberSafety.
As the United States transitions into the digital age, the DPA will address America’s growing data privacy crisis. The new agency will have the authority and resources to effectively enforce data protection rules—created either by itself or congress—and would be equipped with a broad range of enforcement tools, including civil penalties, injunctive relief, and equitable remedies. The DPA would promote data protection and privacy innovation across public and private sectors, developing and providing resources such as Privacy Enhancing Technologies (PETs) that minimize or even eliminate the collection of personal data.
Massive amounts of personal information — public profiles, health data, photos, past purchases, locations, search histories, and much more — is being collected, processed, and in some cases, exploited by private companies and foreign adversaries. In some instances, the data was not given willingly, and in many others, consumers had little idea what they were signing up for. As a result, the data of everyday Americans is being parsed, split, and sold to the highest bidder, and there is little anyone — including the federal government — can do about it. Not only have these tech companies built major empires and made billions from selling Americans’ data, but they spend millions of dollars per year opposing new regulations.
In recent years, major data breaches have occurred at banks, credit rating agencies and tech firms. In 2017, Equifax failed to safeguard the sensitive credit data of hundreds of millions of Americans, allowing a foreign government to steal and expose this information. In 2018, Facebook exposed the personal information of nearly 50 million users because it reportedly ignored warnings from its own employees about a dangerous loophole in its security. Additionally, the Federal Trade Commission (FTC) has failed to enforce its own orders and has failed to act on dozens of detailed consumer privacy complaints alleging unfair practices concerning data collection, marketing to children, cross-device tracking, consumer profiling, user tracking, discriminatory business practices, and data disclosure to third-parties.
The Data Protection Agency explained:
The DPA would be an executive agency. The director would be appointed by the president and confirmed by the Senate, serves a 5-year term, and must have knowledge in technology, protection of personal data, civil rights, law, and business. The agency may investigate, subpoena for testimony or documents, and issue civil investigative demands. It may prescribe rules and issue orders and guidance as is necessary to carry out federal privacy laws. The authority of state agencies and state attorneys general are preserved in the Act.
The DPA would have three core missions:
- Give Americans control and protection over their own data by creating and enforcing data protection rules.
- The agency would enforce privacy statutes and rules around data protection, either as authorized by Congress or themselves. It would use a broad range of tools to do so, including civil penalties, injunctive relief, and equitable remedies.
- The agency would also take complaints, conduct investigations, and inform the public on data protection matters. So if it seems like a company like Tinder is doing bad things with your data, the Data Protection Agency would have the authority to launch an investigation and share findings.
- Maintain the most innovative, successful tech sector in the world by ensuring fair competition within the digital marketplace.
- The agency would promote data protection and privacy innovation across sectors, developing and providing resources such as Privacy Enhancing Technologies (PETs) that minimize or even eliminate the collection of personal data.
- The agency would ensure equal access to privacy protection and protect against “pay-for-privacy” or “take-it-or-leave-it” provisions in service contracts—because privacy, including online privacy, is a right that should be enforced.
- Prepare the American government for the digital age.
- The agency would advise Congress on emerging privacy and technology issues, like deepfakes and encryption. It would also represent the United States at international forums regarding data privacy and inform future treaty agreements regarding data.
The full text of the legislation may be found here.