Privacy Notices, Opt-In Clauses Debated as U.S. Regulators Shape Federal Privacy Law

“The way one would know that they're protected is they have to be able to opt in as opposed to opt out. And I'm really concerned about that, California is opt-out,” said Sen. Dianne Feinstein (D-CA). “Europe is opt-in. So you've got an opt-in standard if you're a country that it's relevant to, in at least 28 countries.”

Panelist Alastair Mactaggart, chairman of the Californians for Consumer Privacy, who helped draft the CCPA, argued that opt-in requirements can cause “click fatigue” for consumers and drive users to mindlessly click “yes” on privacy notices because they feel it's the only way to access a service they need.

He and other panelists, including Mapbox policy lead Tom Lee, advocated for an opt-out feature accessible in Web browsers, which would allow consumers to select a one-time button that would remove them from certain data collection processes.

“Opt-in doesn't escape the problem of mountains of fine print. … It standardizes the language to some extent, but it still puts the burden of making that decision, parsing these legal agreements on each individual user,” Lee said. “While opt-in might be appropriate in some circumstances where there's particularly sensitive data between the entities, opt-out with rules of the road that make sense is a better user experience and probably a better way to go.”

Opt-in requirements flood users with lengthy, legalese-filled privacy policies, critics of the policy feature said. Sen. Dick Durbin (D-IL), and Sen. John Kennedy (R-LA), both pointed at the length and unclear language of sites' privacy notices and consent forms as a threat to consumers.

Durbin said “no one reads privacy notices,” adding the burden should be on tech companies to ensure consumers are adequately informed on what they're consenting to. Kennedy questioned Google senior privacy counsel Will DeVries on the company's lengthy terms of use, which he said stretches on for more than five pages.

“You could hide a dead body in there; no one would find it,” Kennedy said.

He wasn't the only senator who used the hearing to grill Google. Sen. Josh Hawley (R-MO), questioned DeVries on the Mountain View, CA-based company's location tracking policies.

Hawley, the former attorney general of Missouri, claimed Google collected location history from Android phone users, even when location data services were turned off, something he said is not clearly communicated to consumers.

“So the consumer cannot meaningfully opt out,” Hawley said.

Google, according to DeVries, only uses data from opted-out users if the information is necessary for the phone's basic functions.

As in previous hearings on a potential federal data privacy law, the topic of preemption arose. Panelists said they would support preemption in a federal law, though many noted they would only back it if California's CCPA standards were used as “the floor” for protection, not the ceiling. Feinstein said she would “not support any federal privacy bill that weakens the California standard.”

Tech companies have pushed for federal preemption, in part, as a way to override California's law, which goes into effect next year. Critics have called the bill too punitive and claimed it doesn't provide a clear enough definition of personal data. Other proponents for a federal privacy law have cited the challenges of a growing number of state-level proposed privacy bills.

“The patchwork of state legislation will create significant new barriers to the innovative use of data. Only large law firms benefit from this use of data, because business owners of all sizes will need lawyers to offer products and services nationwide,” said David Hoffman, the associate general counsel and global privacy officer of Intel Corp. “These legal costs will slow small, innovative data-oriented startups.”

*****

Caroline Spiezio covers the intersection of tech and law for Corporate Counsel, an ALM sibling of Cybersecurity Law & Strategy. She's based in San Francisco. Find her on Twitter @CarolineSpiezio.