Patrick Walsh
Originally published at www.forbes.com.

Forbes: We're Living Through A Digital Privacy Catastrophe: It’s Past Time For A Serious Nationwide Privacy Law

The U.S. lags behind much of the world when it comes to protecting the privacy of its citizens. Companies can do almost anything they want with our digital data, including selling it to the U.S. government. Our democracy and the freedoms we take for granted are in danger.

The Data Free-For-All

Companies often claim they don’t sell your data even while they secretly pass it to numerous partners. And they claim that anything they share is anonymized and thus not a big deal. But often that data can be traced back to you anyway.

For example, if someone has access to your location data from a 24-hour period, they can deduce your home address, your office, your child’s school and your identity. It isn’t just theory—it happens all the time.

For years, the dating app Grindr shared the location data of its users with advertisers. That data stream was used to publicly “out” a priest. The location data was shared with 19 partners. One of those shared with 170 others and one of those shared with another 4,259 companies. That’s just one path. Thousands of companies are holding and selling troves of data on Grindr users.

Elsewhere, a data brokerage is selling location information that identifies individuals who have gone to Planned Parenthood clinics, which in turn can be used for harassment. No matter your political views, that’s pretty creepy. And unfortunately, it’s all perfectly legal in the United States.

Many mobile apps have a legitimate need to see your location but then abuse that privilege to “share” your info with “partners.” Weather apps, transportation apps, restaurant review apps, dating apps and many others fall into this category. Consequently, it’s impossible to know who actually has our information, what they have or how it’s being used.

Existing laws like HIPAA, which keeps hospitals from revealing your health data, allow any tech company that collects your health data to use and share it at will. Why is sensitive health data protected when held by one party, but not when held by another?

Government Abuse

Commercial availability of data via these brokers has another side effect: it allows law enforcement to bypass warrant requirements. Commercial entities like your cell phone provider, who can see where you’ve been, who you call and what websites you visit, are allowed to sell that data to anyone, including the government. Because of the “third-party doctrine,” there’s no need for a warrant.

Maybe you’re not worried about the government having your data, and I get it—you’ve done nothing wrong. But did you know that they’re acquiring this data in bulk?

It’s one thing to target someone suspected of doing something wrong, but we’re talking about the government buying data for mass surveillance. The Trump administration purchased location data to identify Black Lives Matter protesters. The Biden administration used similar data to identify January 6th rioters. And private surveillance companies buy the data for even shadier purposes. It’s pervasive.

To fix it, we need a federal privacy law built around these core pillars:

1. A Duty Of Care For Security And Privacy

Today, except for a few specific niche areas, companies have no duty of care and no meaningful penalties if they violate your privacy or if their poor security leads to your data being stolen. You currently only have recourse if your identity is stolen and you can prove fault.

We must give companies a fiduciary responsibility where they are responsible for what happens to the data they collect and share. If it can be reidentified, for example, then they are culpable. This will drive good behaviors like the deletion of data that’s no longer needed, the reduction of collected data and the wider use of data protection technologies.

2. People First, Corporations Second

Big companies often complain that a privacy law would be too burdensome on them. As a result, most privacy laws we see today shift the burden off of companies and onto consumers.

Several states have passed privacy laws that grant consumers the right to “opt-out” of data collection, to request access to copies of the data that’s held on them and to request that held data be deleted or corrected. The Colorado Privacy Act is an example of a law that takes this approach.

These are steps in the right direction, but in practice, consumers have to be very proactive to get any of the benefits from the law: they have to read the fine print, make requests of companies and know everywhere their data resides.

The burden is on the consumer and that burden is unimaginably heavy. You could dedicate your life to just opting out and still not regain any real control over your data. This approach lets companies off the hook and then blames the victims.

3. Eradicating The Warrant Bypass Problem

The purpose of having a system of checks and balances is to protect the property and liberty of the people of this country. Yet government agencies can legally purchase surveillance data and completely bypass the system of warrants designed to protect us.

It is important to establish a federal privacy law that doesn’t make exceptions for small companies, credit bureaus, law enforcement or anyone. The right to privacy should be universal. Invasions of privacy should be tolerated only when there’s just cause. Warrants should be required no matter how the data is obtained.

4. Meaningful Penalties

Most importantly, there have to be consequences for companies that don’t follow the rules. Those consequences should include potentially large financial penalties. And consumers should have the right to seek them directly via a private right of action rather than waiting for a government agency to intervene. We’ve seen how political pressures can delay and reduce fines to jokes.

As things become worse, it’s time for Congress to act. We need a federal privacy law now.