Categories: privacy

A Path Forward: Rights and Rules to Protect Privacy in the United States

Privacy is on the tip of everyone’s tongue. Lawmakers are discussing how to legislate it, big tech is desperate to show they care about it, and everyday people are looking for tools and tips to help them reclaim it.

That’s why today, we are publishing our blueprint for strong federal privacy legislation in the United States. Our goals are straightforward: put people back in control of their data; establish clear, effective, and enforceable rules for those using that data; and move towards greater global alignment on governing data and the role of the internet in our lives.

For Mozilla, privacy is not optional. It’s fundamental to who we are and the work we do. It’s also fundamental to the health of the internet. Without privacy protections, we cannot trust the internet as a safe place to explore, transact, connect, and create. But thanks to a rising tide of abusive privacy practices and data breaches, trust in the internet is at an all time low.

We’ve reached this point because data practices and public policies have failed. Data has helped spur remarkable innovation and new products, but the long-standing ‘notice-and-consent’ approach to privacy has served people poorly. And the lack of truly meaningful safeguards and user protections have led to our social, financial and even political information being misused and manipulated without our understanding.

What’s needed to combat this is strong privacy legislation in the U.S. that codifies real protections for consumers and ensures more accountability from companies.

While we have seen positive movements on privacy and data protection around the globe, the United States has fallen behind. But this conversation about the problematic data practices of some companies has sparked promising interest in Congress.

Our framework spells out specifically what that law needs to accomplish. It must establish strong rights for people, rights that provide meaningful protection; it must provide clear rules for companies to limit how data is collected and used; and it must empower enforcement with clear authority and effective processes and remedies.

Clear rules for companies

  • Purposeful and limited collection and use – end the era of blanket collection and use, including collecting data for one purpose and then using it for another, by adopting clear rules for purposeful and limited collection and use of personal data.
  • Security – ensure that our data is carefully maintained and secured, and provide clear expectations around inactive accounts.

Strong rights for people

  • Access – we must be able to view the information that has been collected or generated about us, and know how it’s being used.
  • Delete – we should be able to delete our data when reasonable, and we should understand the policies and practices around our data if our accounts and services become inactive.
  • Granular, revocable consent – stop the practice of generic consent to data collection and use; limit consents to apply to specific collection and use practices, and allow them to be revoked.

Empowered enforcement

  • Clear mandate – empower the Federal Trade Commission with a strong authority and resources to keep up with advances in technology and evolving threats to privacy.
  • Civil penalties – streamline and strengthen the FTC’s enforcement through direct civil investigation and penalty authority, without the need for time- and resource-intensive litigation.
  • Rulemaking authority – empower the FTC to set proactive obligations to secure personal information and limits on the use of personal data in ways that may harm users.

We need real action to pass smart, strong privacy legislation that codifies real protections for consumers while preserving innovation. And we need it now, more than ever.

Mozilla U.S. Consumer Privacy Bill Blueprint 4.4.19

 

 

Photo by Louis Velazquez on Unsplash

One comment on “A Path Forward: Rights and Rules to Protect Privacy in the United States”

  1. Thomas Dargan wrote on

    The Blueprint does not mention ISP freedom to read & harvest our IP packets while delivering them. Do you think the Blueprint covers that abuse as well as this draft bill, urged by Indivisible groups? (This bill was not taken up by the Democrats in the House, in favor of the “Save the Internet Act.” Deep Packet Inspection is the network engineer’s half-embarrassed term for reading your stuff while delivering it.)

    115TH CONGRESS 2D SESSION
    [DISCUSSION DRAFT]
    H. R. __
    To amend the Communications Act of 1934 to prohibit broadband internet access service providers from engaging in deep packet inspection.
    IN THE HOUSE OF REPRESENTATIVES
    —— introduced the following bill; which was referred to the Committee on ______________
    A BILL
    To amend the Communications Act of 1934 to prohibit broadband internet access service providers from engaging in deep packet inspection.
    Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
    SECTION 1. SHORT TITLE.
    This Act may be cited as the “Deep Packet Privacy Protection Act of 2018”.
    SEC. 2. PROHIBITION ON DEEP PACKET INSPECTION.
    (a) IN GENERAL.—Title VII of the Communications Act of 1934 (47 U.S.C. 601 et seq.) is amended by adding at the end the following:
    “SEC. 722. PROHIBITION ON DEEP PACKET INSPECTION.

    “(a) IN GENERAL.—A broadband internet access service provider may not engage in deep packet inspection, except in conducting a reasonable network management practice.
    “(b) RULE OF CONSTRUCTION.—Nothing in this section shall be construed to prohibit a broadband internet access service provider from engaging in deep packet inspection as required by law, including for purposes of criminal law enforcement, cybersecurity, or fraud prevention.
    “(c) DEFINITIONS.—In this section:
    “(1) BROADBAND INTERNET ACCESS SERVICE.—
    “(A) IN GENERAL.—The term ‘broadband internet access service’ means a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all internet endpoints, including any capabilities that are incidental to and enable the operation of the communications service, but excluding dial-up internet access service.
    “(B) FUNCTIONAL EQUIVALENT; EVASION.—The term ‘broadband internet access service’ also includes any service that—
    “(i) the Commission finds to be providing a functional equivalent of the service described in subparagraph (A); or
    “(ii) is used to evade the prohibitions set forth in this section.
    “(2) DEEP PACKET INSPECTION.—The term ‘deep packet inspection’ means the practice by which a broadband internet access service provider reads, records, or tabulates information or filters traffic based on the inspection of the content of packets as they are transmitted across their network in the provision of broadband internet access service.
    “(3) NETWORK MANAGEMENT PRACTICE.—The term ‘network management practice’ means a practice that has a primarily technical network management justification, but does not include other business practices.
    “(4) REASONABLE NETWORK MANAGEMENT PRACTICE.—The term ‘reasonable network management practice’ means a network management practice that is primarily used for and tailored to achieving a legitimate network management purpose, taking into account the particular network architecture and technology of the broadband internet access service, including—
    “(A) delivering packets to their intended destination;
    “(B) detecting or preventing transmission of malicious software, including viruses and malware; and
    “(C) complying with data protection laws and laws designed to prohibit unsolicited commercial electronic messages, including the CAN-SPAM Act of 2003 (15 U.S.C. 7701 et seq.) and section 1037 of title 18, United States Code.”.
    (b) DEADLINE FOR RULEMAKING.—Not later than 180 days after the date of the enactment of this Act, the Federal Communications Commission shall issue a rule to implement the amendment made by subsection (a).
    (c) EFFECTIVE DATE.—The amendment made by this section shall apply beginning on the date that is 270 days after the date of the enactment of this Act.