We need to give consumers more information about how their data are being used and shared, and we need to obtain more meaningful consent from people when they agree to give their data to a company.

Share story

THE headlines announcing compromise of perhaps 1 billion user files at Yahoo underscore the pervasive nature of data breaches in today’s online environment. Yahoo is sending notifications to its account holders, notifying them that their personal data have been hacked.

Like the breaches at Target, Premera and thousands of other firms, the breach notifications basically tell the recipients:

• Their data have been hacked

• Yahoo isn’t sure what was taken or how it has been used

• The company can’t confirm the identity of the perpetrator

• Customers should avail themselves of credit-reporting services.

In light of these unhelpful breach notices, is it any wonder that consumers respond with anxiety and frustration? As someone who has served as a privacy officer in corporate and government roles, I’d like to propose that it is well past time to overhaul our privacy-notice and breach-notification regimes.

We need to give consumers more information up front about how their data are being used and shared, obtain more meaningful consent from people when they agree to give their data to a firm and increase transparency in the event of a data breach. The tools to accomplish these tasks exist today, and more privacy-conscious companies, such as Microsoft, are already employing some of them.

Simply put, we need to give consumers more tools to protect their personal information.”

Our current data-protection scheme in the U.S. is broken, making it more difficult for our companies to do commerce abroad and to process the data of citizens of other jurisdictions. While the upcoming Privacy Shield “safe harbor” will facilitate commerce with citizens of the European Union, it does not address the underlying deficiencies in our privacy system.

Simply put, we need to give consumers more tools to protect their personal information. To use these tools, we need to give individuals transparency in context: How long will my data be kept? Will they be shared and with whom? Will I have access to my own data?

In 1995, I wrote one of the first consumer-facing privacy policies for an internet company. The policy described our data-collection practices in one page. Even in those early days, we noticed that few consumers clicked on our privacy policy. Today, privacy policies can be 30 to 40 pages, describing myriad scenarios of how a company might use the data provided by its customers. A tiny fraction of consumers read them. In one well-publicized case, a British game company told users in its terms of service policy that they were consenting to “sell their immortal soul” to the company. Thousands of online consumers immediately accepted the deal.

While such policies provide corporations with legal protection, no one seriously argues anymore that they provide meaningful consent in a practical form.

Making it as easy for consumers to consent to data-usage practices as it is for them to originally sign up for an online service or account would go a long way toward building trust and long-term relationships. People would feel more secure about how a company used their data and, in turn, would have less anxiety in the event of a data breach.

Moving to a more transparent data-protection regime would also benefit U.S. firms doing business in Europe and other jurisdictions, which have already adopted and implemented codes of “fair information practices.” In a world where people have the expectation that their data move with them wherever they travel or live, we need to adopt concepts of data protection that are not tied to one nation.

While 47 states have individual data-breach-notification statutes, harmonizing these laws at the currently low level of consumer protection makes little sense. Rather, companies, nonprofits and other entities that collect user information online should treat the people who use their services with more respect: telling them what information they have about a breach, how long they have known about it and their strategy for coping with this instance and future breaches.

The United States benefited for many years from the absence of general privacy or data-protection laws, relying on the Federal Trade Commission and the Federal Communications Commission to bring enforcement actions in salient cases. We now need to consider a general data-protection statute along the lines of the European Union’s. We also need to encourage experiments with “consent in context” and other means for companies to give people who consume their products and services much more meaningful control over their personal data.

American firms don’t need to wait for new laws to begin this process. Investment in crafting new websites and user tools could be modest, but companies would secure more loyal customers in more jurisdictions as the internet continues to erase traditional borders.