It’s understandable if you’re pessimistic about the state of our privacy these days. Between the slow but steady creep of facial recognition, surveillance-based advertising, and social media, we’ve never been more exposed. It feels as if every day brings a new threat, whether it be companies putting spycams on sunglasses or using dubious AI to link your facial expressions to your employment prospects.
We need strong privacy rules to save us from these threats. But instead of passing tough comprehensive privacy legislation, for the past 20 years Congress has been content to legislate in narrow areas like health, credit, and finance and let the Federal Trade Commission file ad hoc enforcement actions against companies such as Facebook and Google for unfair or deceptive behavior. It’s not enough. Companies still treat our data as a free-for-all resource to be strip-mined and sold to the highest bidder.
Evidence of our perilous situation can be found in, among other places, the Facebook/Cambridge Analytica scandal, the never-ending onslaught of high-profile data breaches, mobile apps built to trick us into oversharing, and employee monitoring using racially biased artificial intelligence. Meanwhile, tech companies use our data to train AI systems that make life increasingly miserable for employees or students who dare to get bored, take a break, or make a mistake. All watched over by machines built to deny grace.
But we’re not sunk yet. Our state Legislature is considering a bold new privacy bill, the Massachusetts Information Privacy Act, or MIPA. If it becomes a law, it would be the most revolutionary piece of privacy legislation in the United States.
Even if MIPA fails to pass in its current form, it should be the starting point for future privacy bills. Massachusetts can give the country its best shot at holding big companies that collect and use our personal information fully accountable for our privacy.
Confidentiality, care, and loyalty
Most states don’t have a true data privacy law. Even the few that do, such as California, Virginia, and Colorado, have a relatively narrow focus or weak enforcement provisions. MIPA takes the best parts of those laws and adds some strong prohibitions and penalties.
The first thing to note about MIPA is its breadth. It would regulate bigger companies’ standard data practices, like the collection and use of our browsing history to deliver targeted ads. But the bill goes further to protect people from constant surveillance. MIPA targets newer technologies that combine facial recognition, sensors, and GPS to extract intimate data from our faces, voices, and whereabouts. This kind of highly revealing data is particularly susceptible to misuse and harm. Harassers can use these tools to stalk others. Companies and governments can use these tools in ways that harm our reputations, deny us opportunities, or squelch our creativity and expression. Employers can use these tools to scrutinize their employees to the point of misery.
MIPA would significantly restrict this kind of invasive surveillance. Right now there is a billion-dollar market for your phone’s location data. The mobile apps you use often collect this data and then sell it to an obscure group of companies that profit off your movements through advertising and further resale of information about you. MIPA would cut that market off at the source because it would prohibit companies from selling or trading your location data.
Under MIPA, people and companies using Amazon’s new home security drones with cameras would have to get people’s handwritten consent before using facial recognition tools on them. Easily forgotten and overlooked “I Agree” buttons won’t do. MIPA also contains strong rules against excessive workplace surveillance. Employees in Massachusetts would be able to do their jobs without having to worry about having their every step monitored.
MIPA also takes a layered approach, combining broad foundational duties and rights with specific prohibitions on conduct. It’s common to talk about the “right to privacy” in the United States. But in truth, our privacy rights are relatively thin, scattered, and porous. The Fourth Amendment to the Constitution limits only certain kinds of government searches and seizures. Private companies have far more freedom to collect and use our data.
MIPA would change that for the people of Massachusetts, imposing formidable duties of confidentiality, care, and loyalty on bigger businesses that collect and use our data.
Under a duty of confidentiality, companies would be prohibited from selling your data without ensuring, for example, that the recipient of your data is contractually bound to the same duties of confidentiality, care, and loyalty. This would practically eliminate a large chunk of data sales.
A duty of care would obligate bigger companies to better protect your data against unauthorized access by hackers and snoops. And a duty of loyalty would prevent companies from acting in ways that conflict with your best interests. For example, when you’re using mobile apps or websites, do you ever feel tricked, pressured, or swayed into choosing a comically large “I Agree” button instead of a well-hidden “Decline” button? Have you ever tried to delete an account, only to be discouraged by an endless maze of confusing choices? Tech companies regularly deploy manipulative design choices like preselected boxes, hidden buttons, and confusing directions that benefit the company at our expense. As the most recent whistleblower from Facebook has demonstrated, companies also sometimes design their algorithms to use our personal data in harmful, misleading, and divisive ways because it drives more “engagement” with the service. But under MIPA, regulators could better scrutinize user interfaces, targeted online ads, and personalized news feeds for danger and self-dealing.
MIPA would also empower the people of Massachusetts like never before. The bill would give us rights to access, correct, and delete our data. I could have used this right myself a few years ago when an error in a database attributed my personal information to someone else’s financial history. My car was almost wrongfully impounded. We all could benefit from the ability to delete decades-old data tied to unused accounts and social media posts. It would also give us data portability rights, allowing us to take our data to a competitor if we want to switch services.
Maybe the most important aspect of MIPA is that it has teeth. It would create a powerful new Massachusetts Information Privacy Commission, which would have the authority to investigate potential wrongdoing and create and enforce privacy regulations. It would also provide ways for us, the people affected by privacy violations, to bring complaints to the commission and seek damages in court. The bill provides for civil penalties on a par with the European Union’s General Data Privacy Regulation, which could hold the largest companies like Facebook accountable for billions for the most serious violations.
Massachusetts has a proud tradition of privacy trailblazing. In 2010 it passed one of the first and most robust data security laws in the country. Massachusetts Attorney General Maura Healey has taken strong steps to hold tech companies accountable for their privacy violations. Massachusetts again has an opportunity to set the tone for the rest of the country. If the bill becomes law, it would set the high-water mark for protection in the United States, just in time to guide the federal government and almost every other state as they contemplate their own privacy rules.
Our current privacy laws are not working. They were not designed to confront the likes of Amazon and Facebook. They do not tackle the massive power that bigger businesses wield over our everyday lives when they use tools of surveillance and discrimination. The people of Massachusetts deserve better. MIPA provides a road map to reclaim our privacy.
Woodrow Hartzog is a professor of law and computer science at Northeastern University.