Data privacy legislation is not about secrecy; it’s about transparency. I know a lot about both. I was one of the original coauthors of the initiative that became the California Consumer Privacy Act (CCPA), the most comprehensive privacy law in the U.S., and before that I was a CIA counterintelligence officer and counsel on the House Intelligence Committee. Surprisingly, it was my career as a spy—where I did things like provide oversight of the NSA wiretapping program Edward Snowden later disclosed—that made me realize how desperately the U.S. needs a law to protect consumers’ online privacy. I’m inspired by this quote shared by Gabriel Weinberg, the founder of the privacy-focused search engine DuckDuckGo: “Everyone knows what you do in the bathroom, but you still close the door.” In other words, your info may not be a secret, but it should remain private.
The U.S. government hasn’t gotten that memo. Until the CCPA went into effect on January 1, 2020, there was minimal regulation as to what personal information companies could collect, how they could use it, and with whom they could share it. Outside of California, that’s still the case. When you click “accept” on an app or website, it’s nearly impossible to know what terms you’re really agreeing to. Companies can know where you live, how fast you drive, whether you have a chronic health condition, and even if you are pregnant or were a rape victim.
This personal information can be used to serve you annoying advertisements, fueling a $100-billion-plus digital advertising market. There are even entire companies, called ad or data brokers, that exist to collect, package, and sell data. It can be shared with employers, insurance companies, marketers, and more. Some entities even create an e-score, which can be purchased by virtually anyone. Unfortunately, the discriminatory effects of e-scores largely impact women and people of color.
The CCPA grants all Californians the right to find out what information businesses are collecting, opt out of the sale of personal information, and sue businesses if personal information is stolen. A looming question is whether Congress will pass comprehensive federal privacy legislation, like the European Union’s General Data Protection Regulation. Several bills have been introduced, including one from New York senator Kirsten Gillibrand, but have been largely unsuccessful due to lobbying by the tech, retail, and advertising industries.
Governmental change takes time, but there are things you can do right now: If you live in California, opt out of the sale of your data. (Websites now must list this option.) If you live in Nevada or Maine (both have privacy laws), learn how you’re protected. If not, contact your representatives and demand that they pass legislation. (Several states, including New York and Washington, are working on bills.) Your information is being used against you. It’s time to take it back.
This article originally appeared in the Fall 2020 issue of Marie Claire.