It is time for the United States Congress to pass a comprehensive consumer privacy law.

The GDPR and the CCPA serve as starting points for several recent bills. However, neither the GDPR nor the CCPA distinguish in their choice frameworks based on whether or not personal information is reasonably identifiable, or on whether or not personal information is used for tracking. As a result, the GDPR fails to effectively incentivize use of pseudonymization, and the CCPA fails to effectively disincentivize tracking.

We develop classifications of personal information based on the degree of identifiability of this information. We create a choice framework that, unlike the GDPR or the CCPA, utilizes all three options: mandating use through terms and conditions, requiring an opt-out choice, and requiring opt-in consent.

We develop corresponding notice requirements that enable consumers to make informed choices over the collection, use, and sharing of their personal information.

These proposals can be used to create policy options in between those offered by the GDPR and the CCPA.

Definitions

Incentivizing pseudonymization

Privacy frameworks often only define two classes of information: personal information and de-identified information. However, defining only two classes of information encourages policy fights over where the line is drawn between these two.  If the definition of de-identified information is narrow (e.g., information that is neither reasonably identifiable nor reasonably linkable), then companies may see little incentive to use pseudonymization.  If the definition of de-identified information is too broad or too vague (e.g., by not clearly differentiating between linkability and identifiability), then many companies assert that pseudonymous information is de-identified.

We propose defining three classes of information:

• ‘de-identified information’ – information that is neither reasonably linkable nor reasonably identifiable (e.g., information without persistent identifiers), with legal controls to ensure that the information does not become reasonably linkable.
• ‘pseudonymous information’ – information that is reasonably linkable but not reasonably identifiable (e.g., information with pseudonymous identifiers), with legal controls to ensure that the information does not become reasonably identifiable.
• ‘reasonably identifiable information’ – information that is both reasonably linkable and reasonable identifiable.

By using three classes of information, we can incentivize pseudonymization without identification.

Disincentivizing tracking

Privacy frameworks often do not differentiate between trackable and non-trackable information.  If both trackable and non-trackable information are treated as personal information without differentiation, then companies may see little incentive to not track users. 

We propose defining:

• ‘non-trackable information’ – information that is reasonably linkable but cannot be reasonably associated with information from another context or interaction (e.g., information with a one-time identifier), with legal controls to ensure that the information does not become trackable.

By differentiating between trackable and non-trackable information, we can disincentive tracking.

Differentiating between functional and non-functional use of personal information

When a company uses a consumer’s personal information solely to offer functionality of a service or application, the consumer naturally faces a take-it-or-leave-it decision: whether to allow the use and obtain the corresponding functionality.  In contrast, when a company uses or shares a consumer’s personal information for non-functional purposes (e.g., monetization), privacy frameworks often require opt-in or opt-out consent.  The proposal defines ‘functional use’.

Choice

A privacy framework must determine when opt-in consent or opt-out consent should be required.  The lines are often drawn based on the type of information (e.g., sensitive versus non-sensitive) and/or the use of the information (e.g., functional use versus non-functional use, and use versus sharing).

In markets with effective competition, we propose opt-out for:

• non-functional use of non-sensitive reasonably identifiable information
• non-functional use of sensitive pseudonymous information
• sharing of non-sensitive pseudonymous information
• sharing of sensitive non-trackable information

In markets with effective competition, we propose opt-in for:

• non-functional use of sensitive reasonably identifiable information
• sharing of reasonably identifiable information
• sharing of sensitive pseudonymous information

By drawing the line between opt-in and opt-out consent in this manner, we:

• incentivize pseudonymization
• disincentive tracking
• apply a higher threshold for non-functional use
• apply a higher threshold for sharing
• apply a higher threshold for sensitive information

In markets without effective competition, we propose using higher thresholds.

Notice

Purpose and use of each category of information.

Privacy frameworks often require disclosure of the categories of information collected and of the uses of information.  However, disclosures of collection and of use are often disconnected, denying consumers an understanding of which information is collected for which use.  We propose requiring disclosure of the purposes for which each category of information is collected.  We also propose requiring the disclosure of the classification of each category (e.g., reasonably identifiable or pseudonymous) and the functional use (if any).

Purpose of each category of personal information shared.

Privacy frameworks often require disclosure of the categories of information collected and of sharing of information.  However, disclosures of collection and of sharing are often disconnected, denying consumers an understanding of which information is shared.  We propose requiring disclosure of the purposes for which each category of information is shared.  We also propose requiring the disclosure of the classification of each category (e.g., reasonably identifiable or pseudonymous).

Methods, sources, and recipients.

Privacy frameworks differ in whether they require the disclosure of the methods, sources, and recipients of information.  We propose requiring disclosure of methods and sources, so that consumers may learn whether their personal information came from and exercise any upstream rights.  We also propose requiring disclosure of the recipients, so that consumers may learn where their personal information is going and exercise any downstream rights.

Our proposal:

Proposed statutory text for notice and choice requirements

The full proposal, along with a full explanation of its development:

A Proposal for Notice and Choice Requirements of a New Consumer Privacy Law, Federal Communications Law Journal, vol. 74, issue 3, pp. 251-328.         

Portions of this work were supported by the Herman P. & Sophia Taubman Foundation and by NSF. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation or IEEE. This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. One print or electronic copy may be made for personal use only. Permission must be obtained from the copyright holder for systematic or multiple reproduction, distribution to multiple locations via electronic or other means, duplication of any material in these papers for a fee or for commercial purposes, modification of the content of these papers, reprinting or republishing of this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, and to reuse any copyrighted component of this work in other works.