Proposal for a National “Do Not Sell My Personal Data” Registry
This blog post is a proposal for a national “Do Not Sell My Personal Data” registry modeled after the Federal Trade Commission’s national “Do Not Call” registry — but much better! — that complements existing and proposed privacy legislation and in less than 1 minute lets consumers put a stop to businesses from selling their personal data.
** (The Less than 1 Page) Executive Summary **
Businesses are amassing massive amounts of our personal data and using this data in intrusive ways to profile, influence and surveil us on an unprecedented scale. In effect our Fourth Amendment rights to be secure in our “persons, houses, papers, and effects, against unreasonable searches and seizures” is being significantly challenged in today’s digital age.
Consumers need to be able to take control of their data. Privacy legislation only exists in 3 States (California, Maine and Nevada), and national legislation is far off in the horizon, so the vast majority of American have little to no data protection and online privacy rights vis a vis their personal data. Furthermore, even in California, which has the most comprehensive law in the United States in the form of the California Consumer Privacy Act (CCPA), the onus is on the consumer to find which of the potentially 1000s of businesses have their data and then request for the opt-out of the sale of their personal data (and/or request deletion, etc.) — and do this manually for each and every business and/or website. And even if websites universally implemented support for a browser plug-in or privacy setting for consumers to signal “do not sell my personal information” when they visit the site, the reality is there are still 100s of businesses who have aggregated your data whose website you will never visit.
My proposal is a national “Do Not Sell My Personal Data” registry modeled after the Federal Trade Commission’s (FTC) “Do Not Call” registry. Note the “Do Not Call” registry has been challenged in court and found to be Constitutional, so a “Do Not Sell My Personal Data” would also fair well to any challenges.
The way it works is simple for consumers: they visit the national “Do Not Sell My Personal Data” registry website, put in their email address, and get a verification email in their inbox (note other personal identifiers could be added). For data brokers who sell personal data, they must register with the agency in charge of registry (e.g. the FTC) and are given an Application Programming Interface (API) that makes requests to the registry. Then whenever a data broker is about to sell personal data, the broker must first use the API to determine if there any identifier matches (e.g. email addresses) in the database of personal information they plan to sell. Any flagged matches and corresponding records cannot be sold. Compliance can easily be checked by adding to the registry “honeypot data” to sniff out violations.
Thus consumers get a simple (and free!) one-stop shopping to stop the sale of their personal data — a quick win vs. waiting for privacy legislation (and even then, having to play “whack-a-mole” and contact 100s if not 1000s of businesses to stop the sale of their personal data). Additional identifiers with verification (e.g. home address, social security number, etc.) could be added over time as well as to strengthen the ability to limit sale of personal data specific to that data, and the registry can be further enhanced in subsequent versions by adding requests to delete etc. And the good news is that this proposal complements any State or Federal privacy legislation that may exist or emerge.
** The Longer and More Detail Write-Up **
The Problem
Businesses today collect massive amounts of personal data about you. Data such as what purchases you have made, what locations you have been to (e.g. a church, a cancer treatment center, an Alcoholics Anonymous office, if you had participated in a Black Lives Matter rally, etc.), if you are pregnant, what your weight is, what websites you have searched and from what IP addresses, what types of devices you use, your cell phone number, who your relatives are, etc. Many of these businesses then sell it other businesses, including firms known as “data brokers,” who aggregate that personal data and create profiles of you with 1000s of attributes and even “score” you in a multitude of categories.
Here’s what a profile could look of you as based on what one data broker firm, Acxiom, advertises with a product called Global Data Navigator: (although the graphic below is out of date as the graphic says Acxiom has 3000 attributes when Acxiom now advertises it has up to 10,000 (!!) attributes per person):
In fact, Acxiom advertises it has data on 2.5 billion “addressable consumers” that represents “68% of the world’s digital population” across 60+ countries.
Why is this bad for you and me to be “an addressable consumer”?
As this Fast Company article notes: “All that information can be used to create profiles of you—think of them as virtual, possibly erroneous versions of you—that can be used to target you with ads, classify the riskiness of your lifestyle, or help determine your eligibility for a job.”
So, you may say, “so what if I get a bunch of personalized ads?” But this also opens the door for businesses to use automated decision making to not give certain people health insurance, or not hire someone who attend a Black Lives Matter rally, or have ads served to you with quack cancer cures if you had recently visited a cancer center. Or as we have seen with Cambridge Analytica, use that data to play on your fears to manipulate you or influence you to vote for a certain candidate, or for a foreign adversary to fuel internal rage with our citizens. There is also a cybersecurity element to this — for example hackers can use this information to easily crack your security questions (e.g. “what high school did you go to”?) and break into your online accounts.
Current Privacy Laws (if they Exist) Don’t Address Bulk “Do Not Sell” Requests
The good news is that there is growing awareness for the need for privacy legislation given that consumers want to take control of their personal data. The bad news is that in the US, only exists in 3 States (California, Maine and Nevada), and national legislation is far off in the horizon, so the vast majority of American have little to no data protection or online privacy rights vis a vis their personal data.
Furthermore, even in California, which has the most comprehensive law in the United States in the form of the California Consumer Privacy Act (CCPA) the onus is on the consumer to know and find which of the potentially 1000s of businesses have their data and request the opt-out of the sale of their personal data (and/or request deletion, etc.). This is also the case with Version 2.0 of the CCPA, the California Privacy Rights Act (CPRA) of 2020, that is on the ballot in November and will hopefully pass (and I am definitely voting yes for it).
Both the CCPA and CPRA do make things easier by offering up the solution of businesses updating their websites to support a browser plug-in or privacy setting that in turn lets consumers to signal “do not sell my personal information” when they visit the site. But even with this welcome solution, the reality is there are still 100s of businesses such as data brokers who have aggregated your data whose website you will never visit.
Don’t get me wrong, CCPA and CPRA are great, giving us California residents a bunch of consumer rights and enforcement mechanisms. And CPRA gets California on par with the gold standard of privacy legislation, Europe’s General Data Protection Regulation (GDPR). But it would be great to have more help for consumers in letting them stop the sale of personal data.
My Proposed Solution
The way it works is simple for consumers: they visit the national “Do Not Sell My Personal Data” registry website, put in their email address, and get a verification email in their inbox (note other personal identifiers could be added). For data brokers who sell personal data, they must register with the agency in charge of registry (e.g. the FTC) and are given an Application Programming Interface (API) that makes requests to the registry. Then whenever a data broker is about to sell personal data, the broker must first use the API to determine if there any identifier matches (e.g. email addresses) in the database of personal information they plan to sell. Any flagged matches and corresponding records cannot be sold. Compliance can easily be checked by adding to the registry “honeypot data” to sniff out violations.
Thus consumers get a simple (and free!) one-stop shopping to stop the sale of their personal data — a quick win vs. waiting for privacy legislation in States outside of California (and even as a California resident, having to play “whack-a-mole” and contact 100s if not 1000s of businesses to stop the sale of their personal data). Additional identifiers with verification (e.g. home address, social security number, etc.) could be added over time as well as to strengthen the ability to limit sale of personal data specific to that data, and the registry can be further enhanced in subsequent versions by adding requests to delete etc. And the good news is that this proposal complements any State or Federal privacy legislation that may exist or emerge.
What Are the 11 Key Benefits?
#1 It would be easy to use for consumers — we are talking just visit a website, put in your email address, get a verification email in your inbox, and click the link to confirm. Less than 1 minute of their time.
#2 It is a more scalable solution than even the most comprehensive US privacy legislation in terms of blocking the sale of personal data — as you can see from the screenshot below in terms of the guidance provided by the California Attorney General in terms of how consumers can exercise their privacy rights, the consumer must visit a website, click a link, scroll through a bunch of text, confirm, etc. Then rinse and repeat. And as I stated above, the reality is that in the State of California there are approximately 350 registered “data brokers” whose sites you will never visit directly and probably have never heard of. And each of those brokers have a different way to request do not sell, delete, etc.
Source: California Attorney General twitter account
#3 It can be offered for free to consumers — certainly there are or will be software companies out there who will try to figure out a way to offer a mass “Do Not Sell” solution for its customers. But those software companies need to do a lot of programming and maintain an app to offer this functionality, so they need to make money, and will charge a consumer between $30 and $100 a year. Like the “Do Not Call” registry, this could be a free service and therefore can be utilized by more people. There could always be a market for more personal privacy capabilities offered by software vendors, but the base level capability provided by my proposal could set the floor.
#4 It passes Constitutional muster (and State law too!) — because it is modeled on the national “Do Not Call” registry, which is an “Opt-Out” model, it is unlikely this “Do Not Sell My Personal Data” registry will be successfully challenged in Court. Specifically, the case of Mainstream Marketing Services, Inc. vs the FTC [10th Circuit 2014] found that “The do-not-call registry prohibits only telemarking calls aimed at consumers who have affirmatively indicated that they do not want to receive such calls and for whom such calls would constitute an invasion of privacy.” So same deal with the “Do Not Sell My Personal Data” registry. Furthermore, states such as Vermont and California have both successfully instituted Data Broker registries, with corresponding definitions of who should register and registration fees etc., so requiring data brokers to also register with a federal agency should not be a problem, much like the Do Not Call registry requires registration by telemarketing firms.
#5 It is easily implemented by data brokers and could be operated in a safe and secure manner — once a data broker is registered, they will be given an API who usage is identifiable back to them. So, all queries to the registry can be associated with what broker is doing the query. Furthermore, the API just confirms if a given email address matches an email address in the registry, so the API could not be used to mine the registry for new emails.
#6 It could easily add other elements of identifiable personal data to expand its reach — one issue is that people may say that there is a lot of personal data that is not associated with an email address. But the registry can incrementally add additional “personal identifiers” over time. For example, one identifier could be mailing address. A consumer could not only register their email address but also add their home address as data that further identifies their personal information held by data brokers. Using commonly available verification tools now available to websites, the registry website would then request for a photo ID to be accessed via the device’s camera to verify if the address is associated with the consumer. Then to further verify the home address, a letter would be sent to the address, with the letter containing a URL or QR code that acts as confirmation of the registry addition of the home address. Or if Social Security Number is personal information that a consumer does not want sold, they could enter their Social Security Number in the registry, and verification of that request could only occur be logging into the consumer’s SSA.gov account and confirming a notification. Same with registering Passport numbers. So it could scale over time to more identifiers of personal data.
#7 It could be extended to block junk mail or integrated with the Do Not Call registry — using the verification described above for home addresses, the registry could evolve to also allow consumers to block the sending of junk mail to them through the USPS. There could also be integration with the “Do Not Call” registry to stop the sale of personal information associated with a given phone number. Point is there could be hooks into multiple US Government agencies such as FTC, USPS, State Department, etc. or even state government systems.
#8 It could be extended to request deletions of data — Rome was not built in a day, so let’s get a quick win with “Do Not Sell”, but this could eventually act as a platform for further rights.
#9 Smarter people than me have proposed something akin to this — Apple CEO Tim Cook wrote this in Time Magazine in 2019 re: privacy: “… the Federal Trade Commission should establish a data-broker clearinghouse, requiring all data brokers to register, enabling consumers to track the transactions that have bundled and sold their data from place to place, and giving users the power to delete their data on demand, freely, easily and online, once and for all.” Senator Wyden introduced in 2017 the “Data Broker Accountability and Transparency Act of 2017.” So, others including the largest tech company in the world (Apple) have thought something along these lines.
#10 It would be easy-ish to find cheaters— enforcement personnel could register “honeypot” email addresses with the registry, then set up accounts on 1 or 2 websites with that email, and it would be easy to see if those websites eventually still went ahead and sold that data based on the email address (e.g. observing over time if the email address is being targeted with email offers from entities other than the 2 websites it signed up for etc.).
#11 It complements any existing Federal or State privacy laws— consumers still need their privacy rights such as Right to be Informed, Right to Access, Right to Rectify, etc., as well as we need enforcement mechanisms found in privacy legislation such as GDPR, CCPA and CPRA. This proposal is not an “either or” vis a vis CCPA or national privacy legislation. It complements privacy legislation, just like Data Breach Notification laws complement privacy legislation. But if you combine privacy legislation and a “Do Not Sell My Personal Data” registry, then for consumers they finally have full control over their personal data and can do so in a scalable manner.
Thanks for visiting my Ted talk 😊. Let me know what you think!