The deadline for implementing the European Union's tougher digital privacy and security measures is less than one year away, but privacy experts in the U.S. still remain divided on the best policy for internet companies going forward.
In particular, experts remain divided over whether U.S. regulators and firms should generally embrace more of an opt-in approach, where a user needs to provide affirmative consent before personal data can be collected or shared, or an opt-out approach, where most consumer data can be collected and shared unless or until a consumer actively denied their permission.
During a panel discussion hosted by the Information Technology and Innovation Foundation, a tech-focused think tank based in Washington, D.C., ITIF Vice President Daniel Castro argued in favor of an opt-out approach, noting that obtaining consent from each and every user is relatively expensive relative to the value of any one user's personal data. Moving to an opt-in approach, he warned, would cause companies to have less money to invest in innovation and could lead to services shutting down sites or moving to a pay model.
"The internet ecosystem has been built on this financial model of free and low-cost apps and services that depend on the availability of targeted online ads that use personal information," Castro said.
He noted that while no user wants their information stolen or accessed by cybercriminals, he believes most consumers are willing to accept some degree of data tracking on the part of internet companies in exchange for free email and other services.
"You have some users that really value their privacy, some users that don't put a huge premium on that and then most of us that are somewhere in the middle where we are willing to make certain trade-offs," he said, adding that he sees the opt-out approach as best serving this latter middle-ground group.
But while Castro may prefer an opt-out approach to online privacy, Kara Sutton, senior manager at the U.S. Chamber of Commerce Center for Global Regulatory Cooperation, said most major internet companies in the U.S. will need to move to an opt-in approach as a result of the EU's General Data Protection Regulation.
"The reality that a lot of especially larger companies are looking at now is GDPR is likely going to be their minimum standard across the world," Sutton said, noting it does not make sense for multinational companies like Alphabet Inc. and Facebook Inc. to have two separate playbooks for the U.S. and the EU.
The EU data protection rules, set to go into force in May 2018, require a company to obtain "unambiguous" affirmative consent from a user before collecting or processing the user's "personal data." According to the Council of the European Union, personal data "can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address."
Personal data is different than sensitive data under the GDPR, which requires an even higher level of "explicit" consent. Sensitive data includes racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, certain identifying biometric data, health data and data about a person's sex life or sexual orientation. There are also special protections for children.
While unambiguous consent can take several forms, including "ticking a box when visiting an internet website" or choosing technical settings for an app or browser, "silence, pre-ticked boxes or inactivity" do not constitute consent. As for explicit consent, a user must agree to a particular use or disclosure of their personal information either orally or in writing. In other words, settings on a user's browser or app likely will not cut it.
These new rules are far more restrictive than the online privacy regime currently enforced in the U.S. by the Federal Trade Commission. The FTC framework relies more heavily on an opt-out approach, only requiring opt-in approval in cases where companies plan to use data in a manner that is materially different than was originally stated or in cases where they are collecting and sharing "sensitive" data, such as geolocation information, children's information, health information, financial information and social security numbers.
Sutton said she actually prefers the U.S. approach but noted the GDPR is "the new reality that companies have to live with."