Tatyana Bolton is the policy director for Cybersecurity & Emerging Threats at the R Street Institute. Chris Riley is the senior fellow of Internet Governance at the R Street Institute. Brandon Pugh is the policy counsel for R Street’s Cybersecurity and Emerging Threats team.
Now, a decision out of Brussels officially finds that a commonly used framework built on this one-click consent principle is not compliant with the European Union’s privacy legislation, known as the General Data Protection Regulation (GDPR). While the legal scope of this decision is limited to the EU, the practical effects will reach beyond Europe’s borders. What comes next? We hope this spurs the U.S. to move once and for all away from failed notice and consent principles to a real data privacy framework that adequately protects consumer privacy and data security.
On Feb. 2, 2022, the Belgian Data Protection Authority (DPA) declared that IAB Europe, which represents the digital advertising and marketing industry in Europe, violated numerous GDPR provisions. IAB’s framework, which has been in use since 2018, uses a pop-up during the initial website connection to gather users’ consent for advertising-related data collection. IAB’s system has been widely adopted across Europe, and is also sometimes used in the United States. The violations the DPA found are significant, ranging from insufficient transparency to failing to ensure data integrity. Basically, a big swath of companies in the ad-tech space now need to change their practices and compliance frameworks — and maybe even their business models — for data security and privacy. And while the GDPR only binds Europe, many companies follow it as a uniform global standard and apply it not only in the EU but also in the U.S. and around the world.
The most important lesson for the U.S. to take from this regulatory action is that Congress needs to finalize and pass a federal data security and data privacy law to offer an American vision for sound public policy to protect internet users. Today, Americans are used to having privacy managed through a patchwork of consents, cookies and compliance, but that is insufficient. We need to move toward a culture that addresses and respects the underlying concepts of data security and privacy through federal legislation that sets a firm standard for data collection, retention and transfer. And as is clear from IAB’s violations of GDPR, frameworks aren’t always sufficient. An American standard would enable enforcement, holding companies accountable for violations — something that doesn’t exist today.
Years of dramatic messaging bills that lack consensus or even common sense have set us on our back foot. Rather than attempting to lead on data privacy and security, Congress has pursued laws that will have detrimental effects, like undermining encryption. Meanwhile, full data security and privacy frameworks sit on the shelf waiting for action. Federal legislation could provide uniform data privacy and security protections for consumers and businesses, and prevent the United States from being an outlier to other countries with existing frameworks.
The Safe Data Act, the Consumer Online Privacy Rights Act and the Consumer Data Privacy and Security Act of 2021, among many others, are examples of possible solutions that could address the underlying issues facing our evolving digital ecosystem, where some corporate data practices have created a huge trust deficit with everyday internet users. Frameworks, and not piecemeal provisions or legislative distractions, are critical.
Federal law has stalled in part because of a lack of consensus on several key areas, including preemption, enforcement, rulemaking authority and what entities and data are covered. However, years of research have helped advocates, industry and Congress progress from an “all-or-nothing” approach to these roadblocks toward more nuanced solutions. Democratic and Republican offices are working behind the scenes to find a delicate balance on savings clauses in preemption, expanding FTC enforcement authority, right to cure and civil rights provisions, answers to which are crucial to a final bill. Finding a middle ground is essential to advancing.
On its face, the EU decision flags questionable practices surrounding notice and consent that all companies should revisit. Some Americans may notice a change in their daily internet use. Some American companies will be directly affected. And on a larger scale, the decision highlights the urgent need for the U.S. to act on data privacy and security legislation to ensure consistent, secure and fair practices, rather than divining operating principles from the patchwork extension of a law written for an entirely different European regulatory environment. The right move is to do something real — better than the useless buttons that follow us to every website we visit.