2018-22
Protecting Our Privacy in the Always-on Internet and Smart Communities Era
Reported to the Caucus by the NHCSL Broadband and Technology Task Force, Del. Alfonso Lopez (VA), Chair
Sponsored by: Senator Moises “Mo” Denis (NV)
Amanded and ratified by the Caucus on December 8, 2018 in San Diego, California
WHEREAS, according to a 2016 Pew Research report, Latinos are very likely to “own a smartphone, to live in a household without a landline phone where only a cellphone is available and to access the internet from a mobile device” and the percentage of Hispanics who use the internet has continued to rise steadily;[1] and,
WHEREAS, Hispanic and African-American youth use the Internet more frequently than white teens;[2] and,
WHEREAS, Hispanics are the demographic most likely to have at least one social media account and the most likely to use Facebook, YouTube, and WhatsApp;[3]
WHEREAS, according to a study by the Joan Ganz Cooney Center at Sesame Workshop, a majority of bilingual and Spanish-only families reported that their children learned some or a lot of English from using media and were likely to engage in follow-up activities such as conversations, imaginative play, and asking questions. Additionally, parents from Spanish-only homes were most likely to report that their child taught them something they didn’t know based on educational media, confirming other research that documents children’s roles as media brokers and translators in immigrant families;”[4] and,
WHEREAS, rapid changes in technology have allowed billions of devices around the world, such as vehicles, phones, tablets, drones, and products for the home to connect and communicate with each other many times wirelessly;[5] and,
WHEREAS, “smart” devices often have the capability of collecting and tracking everything about consumers including their personal information, conversations, preferences, habits, relationships, and whereabouts;[6] and,
WHEREAS, many also worry that this information could be used by law enforcement and other entities to target minorities, particularly undocumented immigrants, by tracking their location or using emerging technology such as facial recognition;[7] and,
WHEREAS, more and more companies are storing their data in the cloud and not physically in their facilities,* leaving these companies and our personal information vulnerable to massive data breaches when hackers can penetrate their safety protocols;[8] and,
WHEREAS, while companies generally request data-gathering and sharing consent via privacy policies, the truth is that most accept those policies without reading them;[9] and,
WHEREAS, many companies only collect the data they need to provide their service, but for others, our personal information is a commodity that is often bought and sold without our knowledge among thousands of entities within the United States and abroad;[10] and,
WHEREAS, the European Union has recognized the implications of allowing companies to freely collect and sell our personal data and have thus implemented the General Data Protection Regulation (GDPR) to protect the personal information of consumers;[11] and,
WHEREAS, the GDPR standardizes data privacy laws across Europe, requires companies to obtain consent that is “clear and distinguishable from other matters and provided in an intelligible and easily accessible form using clear and plain language,” and imposes steep penalties to organizations that breach the GDPR;[12] and,
WHEREAS, certain ISP’s and edge providers have expressed their receptiveness to potential legislation by Congress in 2019 to regulate data privacy;[13] and,
WHEREAS, placing these restrictions only on ISPs could give an unfair advantage to edge providers, and other companies that already monetize user data;[14] and,
WHEREAS, each state having a different set of data privacy laws would make it unnecessarily difficult for both internet service providers (“ISPs”) and online businesses to follow potentially conflicting laws from different states;[15] and,
WHEREAS, earlier this decade, the Federal Communications Commission (FCC) had assumed the authority, which it has now rescinded, to regulate internet service providers (ISP’s) as common carriers, allowing the agency to oversee their practices, including those related to user privacy, but that authority was limited to ISP’s only and did not encompass edge providers and other companies that profit from collecting much more personal information; and,
WHEREAS, the Federal Trade Commission (FTC) has developed a framework for consumer privacy on the Internet over the past 20 years and has brought over 500 cases protecting the privacy and security of consumer information against all types of businesses in the Internet ecosystem; and,
WHEREAS, in addition to the FTC’s authority, state attorneys general enforce state consumer protection laws prohibiting unfair and deceptive business practices, taking action against companies in connection with certain privacy practices.
THEREFORE, BE IT RESOLVED, that The National Hispanic Caucus of State Legislators supports protecting the privacy and personal information of all internet users and the right for users to choose what personal information an entity can collect from them and what the entity is allowed to do with their information; and,
BE IT FURTHER RESOLVED, that the National Hispanic Caucus of State Legislators understands that federal legislation is the best way to make these protections apply more robustly to the benefit of consumers across the ecosystem, and so calls on the 116th Congress to enact to legislation to that effect, and calls on states to also approve resolutions calling on Congress to do the same; and,
BE IT FURTHER RESOLVED, that the National Hispanic Caucus of State Legislators specifically calls on Congress to include the following provisions in its comprehensive privacy protection act:
- Codify the Fair Information Practice Principles (FIPPS) that the FTC has long used as the basis of its enforcement actions under Section 5 of the FTC Act, including:
- Notice and clear choice to consumers about what information is being collected (within technical reason),
- The ability to opt-out of that collection,
- Transparency as to what information is collected and how it is to be used,
- Create more incentives for companies to improve their data security practices, within economic reason, including ISO 27000 compliance, privacy best practices certification from recognized third parties such as the Better Business Bureau and others, and adopting data collection and use best practices including minimization and retention,
- Enhance the FTC’s enforcement powers and budget, as requested by the Commission itself,
- Enact uniform breach notification standards,
- Enact uniform standards for ISPs, telcos, and content providers, under the single authority of the FTC and not split between FTC and FCC,
- Include safeguards to prohibit discriminatory activities or practices that might arise from the misuse of personal information; and,
BE IT FURTHER RESOLVED, that the National Hispanic Caucus of State Legislators declares that if the 116th Congress fails to act on this issue, then states should commission and then enact as a compact, model interstate legislation for online privacy protection, that will attempt to guarantee that privacy protections are not a patchwork of legislation that is too complicated to follow or enforce; and,
BE IT FINALLY RESOLVED, that, if states choose to act before the 116th Congress ends, they could:
- create their own specialized cybersecurity agency or task force,
- enact appropriate penalties for cybercrime, and,
- amend their procurement policies to add a requirement that companies handling sensitive data on behalf of state governments have ISO 27000 certification.
THE NATIONAL HISPANIC CAUCUS OF STATE LEGISLATORS RATIFIED THIS RESOLUTION, AS AMENDED, ON DECEMBER 8, 2018, AT ITS ANNUAL MEETING IN SAN DIEGO, CALIFORNIA.
[1] http://www.pewhispanic.org/2016/07/20/digital-divide-narrows-for-latinos-as-more-spanish-speakers-and-immigrants-go-online/
[2] http://www.pewinternet.org/2015/04/09/teens-social-media-technology-2015/
[3] http://www.pewinternet.org/fact-sheet/social-media/; http://www.pewinternet.org/2018/03/01/social-media-use-2018-appendix-a-detailed-table/
[4] June Lee & Brigid Barron, Aprendiendo en casa: media as a resource for learning among hispanic-latino families, http://www.joanganzcooneycenter.org/wp-content/uploads/2015/02/jgcc_aprendiendoencasa.pdf
[5] https://www.americanbar.org/content/dam/aba/events/cle/2018/spring/ce1805iot_agenda.authcheckdam.pdf
[6] https://www.nytimes.com/2018/04/11/technology/personaltech/i-downloaded-the-information-that-facebook-has-on-me-yikes.html
[7] https://www.npr.org/2018/05/22/613115969/orlando-police-testing-amazons-real-time-facial-recognition; https://futurism.com/human-rights-discriminatory-artificial-intelligence/
[8] See http://www.businessinsider.com/google-names-huge-companies-using-its-cloud-2015-6; https://qz.com/279749/why-the-cloud-is-an-attractive-target-for-sophisticated-hackers/; https://www.foxbusiness.com/features/why-hackers-love-the-cloud;
*The cloud does have a physical presence in the form of massively redundant data centers commonly located in rural or exurban areas.
[9] See Alexia C. Madrigal, Reading the Privacy Policies You Encounter in a Year Would take 76 Work Days, The Atlantic, https://www.theatlantic.com/technology/archive/2012/03/reading-the-privacy-policies-you-encounter-in-a-year-would-take-76-work-days/253851/
[10] Reno v. Condon, 528 U.S. 141, 148 (2000) (finding the personal and identifying information that the Driver’s Privacy Protection Act regulates to be a “thing of interstate commerce”); see also Steve Kroft, The Data Brokers: Selling your Personal Information, CBS News 60 Minutes (Aug. 24, 2014) (explaining how our information is bought and sold), https://www.cbsnews.com/news/data-brokers-selling-personal-information-60-minutes/
[11] https://www.nytimes.com/2018/05/23/technology/personaltech/what-you-should-look-for-europe-data-law.html?smid=nytcore-ios-share
[12] https://www.eugdpr.org/the-regulation.html
[13] https://www.pbs.org/newshour/politics/watch-zuckerberg-says-facebook-is-open-to-regulation-if-its-the-right-regulation; https://www.fastcompany.com/40537088/the-next-battle-between-states-and-the-feds-is-over-your-personal-data
[14] https://www.washingtonpost.com/news/the-switch/wp/2016/10/27/the-fcc-just-passed-sweeping-new-rules-to-protect-your-online-privacy/?utm_term=.13ab2454e2f3
[15] https://www.fastcompany.com/40537088/the-next-battle-between-states-and-the-feds-is-over-your-personal-data