It should be illegal to collect and permanently store most kinds of behavioral data.
In the United States, they warn us the world will end if someone tries to regulate the Internet. But the net itself was born of a fairly good regulatory framework that made sure de facto net neutrality existed for decades, paid for basic research into protocols and software, cleared the way for business use of the internet, and encouraged the growth of the commercial web.
It’s good regulation, not lack of regulation, that kept the web healthy.
Here’s one idea for where to begin:
- Limit what kind of behavioral data websites can store. When I say behavioral data, I mean the kinds of things computers notice about you in passing—your search history, what you click on, what cell tower you’re using.
It’s very important that we regulate this at the database, not at the point of collection. People will always find creative ways to collect the data, and we shouldn’t limit people’s ability to do neat things with our data on the fly. But there should be strict limits on what you can save.
- Limit how long they can keep it. Maybe three months, six months, three years. I don’t really care, as long as it’s not fifty years, or forever. Make the time scale for deleting behavioral data similar to the half-life of a typical Internet business.
Limit what they can share with third parties. This limit should also apply in the event of bankruptcy, or acquisition. Make people’s data non-transferable without their consent.
Enforce the right to download. If a website collects information about me, I should be allowed to see it. The EU already mandates this to some extent, but it’s not evenly enforced.
This rule is a little sneaky, because it will require backend changes on many sites. Personal data can pile up in all kinds of dark corners in your system if you’re not concerned about protecting it. But it’s a good rule, and easy to explain. You collect data about me? I get to see it.
Enforce the right to delete. I should be able to delete my account and leave no trace in your system, modulo some reasonable allowance for backups.
Give privacy policies teeth. Right now, privacy policies and terms of service can change at any time. They have no legal standing. For example, I would like to promise my users that I’ll never run ads on my site and give that promise legal weight. That would be good marketing for me. Let’s create a mechanism that allow this.
Let users opt-in if a site wants to make exceptions to these rules. If today’s targeted advertising is so great, you should be able to persuade me to sign up for it. Persuade me! Convince me! Seduce me! You’re supposed to be a master advertiser, for Christ’s sake!
Make the protections apply to everyone, not just people in the same jurisdiction as the regulated site. It shouldn’t matter what country someone is visiting your site from. Keep it a world-wide web.