The Brookings Institution’s January 2020 guidance for “notice and transparency” will place additional data privacy scrutiny on corporate policymakers at U.S. firms — while allowing consumers to exert greater customization control over how personal and categorized data points are distributed.
Brookings Institution Data Privacy Recommendations (Introduction)
Nonprofit public policy think tank Brookings has released updated guidance for consumer data privacy controls that could meaningfully promote avenues for federal and/or statewide regulators to assist a “specialized audience of watchdogs by including thorough disclosure requirements in legislation.”
BLOG: Hitting Refresh on Privacy Policies (Brookings Institution – Jan 6, 2020)
Stating that “individuals deserve transparency,” Brookings Institution contributors Cameron F. Kerry, Caitlin Chin, and Marla Odell conclude that it is time to “shift” the concept companies have traditionally used to receive “consent” of data-related permissions, conceding that “most individuals realistically should not be responsible for reading in-depth notices.”
Following is a summary of the January 6th blog post that breaks down regulatory guidance by section.
Hitting Refresh on Privacy Policies (Summary)
According to various sources, the current “notice-and-consent” regime that has dictated online privacy governance for decades is outdated. Companies’ continuously changing Terms of Service related to privacy policies often result in over-notification or “click fatigue.”
This ultimately burdens consumers with the responsibility of managing how their data is shared, even though most firms do not offer corresponding customization tools.
In reaction to this, U.S. Senate Democrats submitted a November 2019 proposal that would establish a Privacy and Data Protection Framework, effectively shifting at least a portion of these burdens “to the companies that collect and use data.”
NOTICE-AND-CHOICE IN DRAFT LEGISLATION
Despite the arguably outdated status of said mechanisms for receiving authorization to collect data, Kerry and Chin report that a number of current legislative proposals tied to consumer privacy continue to rely on notice-and-choice “in various degrees,” prescribing “affirmative express consent” for a wide range of data sensitivity categories.
Draft proposals’ reliance on the word “consent” to authorize the collection of consumer data points remains prevalent, as does policymakers’ tendency to create guidelines that both complicate and streamline end-user Terms of Service agreements. This results in a “Procrustean bed” of regulations that practically ensure ongoing confusion and frustration for consumers who have become disillusioned with companies’ lax oversight and broad interpretation of data collection authorizations.
One possible solution could be separating data collection consent forms into two separate disclosure categories: (a) complete versions for regulators plus “other specialized parties” that can be relayed to consumers in a more concise, “contextually appropriate” form, and (b) concise forms that fully communicate how information will be shared along with the consumer’s data protection rights.
COMPLETE PRIVACY DISCLOSURE STATEMENTS FOR REGULATORS
Much of the verbiage contained within full privacy disclosure statements is “useless to the average individual,” state Brookings Institution researchers. However, robust permission forms do possess “material value for regulators, journalists, and public interest organizations.”
By requiring companies to comply with comprehensive disclosure guidelines relating to how consumer data is acquired and shared, Congress may be able to assist watchdog groups by removing proprietary considerations for corresponding disclosure forms.
Such considerations could aid organizations in clarifying policy trends while at the same time providing a more tenable environment for burdening corporate officers with achieving publicly-vetted “accountability benchmarks.”
VARIED CONTEXTUALLY-APPROPRIATE NOTICES FOR INDIVIDUALS
Describing transparency as a “fundamental value,” Brookings researchers opine that “individuals deserve transparency” despite the general uselessness to consumers that such transparent statements often represent.
Additional restrictions for dealing with data that involves children under the age of 13 (see: COPPA and HIPAA) are being rolled out on major platforms such as Facebook, Google, Apple, YouTube and others to ensure that disclosure agreements are specifically “targeted” to that audience.
Thus, it is important for lawmakers to create provisions in existing law to guarantee that detailed disclosure information remains available to the general public, while at the same time streamlining end-user agreement “notices” in a way that adequately and contextually informs consumers when they are being asked to sign-away rights to their own detailed, sensitive information.
RIGHTS AND RESPONSIBILITIES FOR INDIVIDUALS AND BUSINESSES
In short, companies, not people, should bear the responsibility of protecting data — as protecting privacy has gradually become a losing game in which businesses utilize virtual long-form Terms & Conditions slips to create fatigue among end-users that inevitably results in corporate misuse/abuse of data collection privileges.
Policymakers hope to curb the practice of businesses shirking data privacy protection responsibilities by granting a greater level of data privacy control to consumers so they can individually decide which information to share or withhold from the companies they patronize.
SOCIAL MEDIA CONSIDERATION (TWITTER): @cam_kerry, @cait_chin, @BrookingsInst, @BrookingsPress
MEDIA INQUIRIES: Brookings Institution Governance Studies Main Line (202) 797-6090
Brookings Institution Guidelines for Regulated iGaming (Conclusion)
* All conclusions belong solely to the author.
Due to the continuing reliance on outdated “notice-and-consent” methods for justifying mass-collection of data points from consumers, it is unlikely that regulated iGaming corporations will embrace recommended policy guidelines put forth by the Brookings Institution until they are publicly held accountable for said practices by policymakers, consumers, and/or watchdog organizations.
Company-sponsored compliance with data privacy recommendations could take years to become reality without some form of “corporate penalty” (ideally enforced by major search engines such as Google) for online gambling services that rely on assigning a material, proprietary value to the data points they obtain from customers, while failing to exercise reasonable prudence in lawfully obtaining said information.
In the meantime, U.S. data privacy protections will remain opaque and unrefined for the vast majority of iGaming consumers whose data will continue to be misused/abused in the name of stabilizing/increasing companies’ revenue streams that have historically been tied to collection of sensitive data points.
* This article is funded directly by Part Time Poker.
Read More iGaming Regulatory Coverage from Part Time Poker
Online Casino Marketers Form Responsible Affiliates in Gambling Trade Group
partypoker Major Changes 2019 Analysis
PokerStars Michigan Preliminary Game Integrity Testimony
Pennsylvania Compulsive and Problem Gambling Regulatory Guide
FOLLOW US ON TWITTER: @PartTimePoker, @KaufmanGaming, @gonzo787, @WoernlePoker, @dhubermex