Summary: Large amounts of consumer data can be collected, processed, and analyzed by operators of websites and mobile applications (apps) and third parties, which are entities other than the website or app primary operator (e.g., data brokers). Operators collect data for multiple purposes, including providing services, selling user data to third parties, or sending targeted ads directed to specific individuals.
The value of consumer data often comes from identifying users and linking their data from various sources to a common identifier. Operators can identify individuals using their personally identifiable information (PII)—such as name, address, or date of birth—and other identifiers, such as those associated with a particular device. Some federal laws prevent entities from collecting or sharing specific types of PII or identifiers in certain circumstances. However, in recent decades, the ubiquity of non-PII (data not directly linked to an individual’s identity, including anonymized or aggregated data) and the emergence of new data collection and tracking tools have made it easier to identify individuals.
Consumer data can be collected using various data collection and tracking tools, such as cookies, pixels, device and browser fingerprinting, application programming interfaces (APIs), and software development kits (SDKs). These tools can continuously collect different types of data, including identifiers, even when the consumer visits a different website or app. Some of these tools are necessary for websites and apps to provide services, and others typically are used for online advertising. Some of these tools can be used to help develop a website or app and offer services provided by other operators, which can increase competition. They also can be used to collect large amounts of data, particularly by third parties, causing some to raise consumer data privacy concerns.
The United States does not have a comprehensive federal data protection law, although multiple federal statutes create data protection obligations for particular types of information or for entities engaged in certain activities. For example, the Children’s Online Privacy Protection Act (COPPA, 15 U.S.C. §§6501-6506) requires online services directed to children under 13 years of age that collect personal information to notify users about the data collection, receive parental consent, and maintain “reasonable procedures” to protect the data. COPPA is enforced by the Federal Trade Commission (FTC), which has brought enforcement actions against companies for their consumer data collection practices under its authority to prevent “unfair or deceptive acts or practices in or affecting commerce.” For example, it has taken action against companies for allegedly handling personal information in a way that contradicts their privacy policies. The FTC is also considering whether it will implement new rules on data collection and security to protect consumers’ data and privacy.
A comprehensive federal data protection law may have differential effects. For example, prohibiting the collection of consumer data would provide the highest level of data security but could also prevent some operators from providing their services or degrade the quality of their services. Prohibiting the transfer or sale of consumer data might provide some data protection, depending on the operators that consumers are willing to share their data with, but could also further entrench incumbents that have already collected large amounts of consumer data. Increasing transparency on the collection and use of consumer data—particularly if doing so would heighten public scrutiny of the operator—might incentivize operators to adjust their current practices but might not significantly alter operators’ behavior if consumers continue to use the website or app.
Some Members of the 117th Congress have introduced bills to create a comprehensive data protection law. If Congress chooses to pursue legislative action, it may consider (1) if the legislation would broadly address consumer data collection or focus on specific types of data; (2) whether to implement requirements for operators or allow consumers to determine which entities can receive their data; (3) if the legislation would preempt state laws; (4) whether to include a private right of action; and (5) potential unintended effects.