App and web browser developer Mozilla just released its own very specific guidelines for a federal privacy law. It’s more consumer-centric than the positions of other tech companies, although it does align with comments from some tech industry representatives before the Senate a month ago, where they said they wanted a “stronger” federal privacy law than the consumer-centric California Consumer Privacy Act (CCPA).
Mozilla’s guidelines join the growing list of privacy law drafts and proposals from consumer advocates like the Center for Democracy and Technology and senators like Catherine Cortez Masto (D-Nev.) and Brian Schatz (D-Hawaii).
Some consumer advocates like the Electronic Frontier Foundation (EFF) worried in the past that tech companies’ privacy positions and proposals would be pro-business and not pro-consumer, but Mozilla’s guidelines, Apple CEO Tim Cook’s January op-ed and Facebook CEO Mark Zuckerberg’s recent op-ed suggest that a growing number of tech companies think a consumer-centric law like the European Union’s GDPR is a good model for a U.S. federal privacy law.
Of course, part of the support for GDPR-like legislation revolves around compliance. Business operations for tech companies will be easier if there’s a universal privacy standard that’s mostly the same across different countries and continents. Europe already set a privacy precedent, and tech companies want to avoid a global patchwork of privacy laws.
Like GDPR and the CDT’s legislative proposal, Mozilla’s guidelines call for more corporate responsibility regarding user data. Mozilla highlights principles like limiting data collection to only data necessary to provide a certain product or service, deleting user data no longer needed by the company, and deleting user data upon a user’s request.
The guidelines also state a list of “authorized uses” for data collected by a tech company, so as to maximize consumers’ privacy.
“Covered entities have an obligation to protect the security and privacy of personal data,” the company said, according to the document.
Mozilla also calls on the Federal Trade Commission (FTC) as the primary enforcer of any future federal privacy law.
“In particular, the FTC will have the authority to issue rules and levy penalties regarding the use of dark patterns by covered entities to compel users to divulge personal information, spend money, or share personal contacts (e.g. friend spam),” Mozilla said.
CDT’s Director of the Privacy and Data Project Michelle Richardson, who helped draft the CDT’s privacy bill, told InsideSources that Mozilla’s guidelines have great ideas.
“They are much more specific than some of the other corporate proposals, which is a good sign. They really care about corporate responsibility for data use,” she said, pushing back on “soft touch” proposals that put the onus of privacy responsibility on users. “It’s really nice to see someone in the tech industry embrace limitations on data collection and use.”
The CDT’s privacy bill also calls for limitations on data use and collection.
“The collection and use of data is really important to see from a tech company,” she said. “That’s really what’s most important to us. It’s a forward and consumer-centric approach to privacy. It’s really saying, what do companies owe their consumers? Not, what toggles can we give consumers to flip off and on to share what with who and when and for what purpose? That’s just not going to happen. This puts the [responsibility] on the company.”
Richardson said one of the only qualms she has with Mozilla’s guidelines is that it doesn’t address the transparency and information problem regarding users’ privacy.
“There isn’t a consent override to all of these protections,” she said. “If there’s a consent override to every one of your rights or corporate responsibilities, you encourage the continuation of the current practice, to gain the box checking, like how do I just encourage people to check the box [of the Terms of Service]?”
Cook also brought up transparency and consumer education as it relates to privacy in his January op-ed for TIME.
“Right now, all of these secondary markets for your information exist in a shadow economy that’s largely unchecked—out of sight of consumers, regulators and lawmakers,” he wrote. “Let’s be clear: you never signed up for that. We think every user should have the chance to say, ‘Wait a minute. That’s my information that you’re selling, and I didn’t consent.'”
“[Other companies] might balk at how specific it is,” Richardson said. ‘They’re looking at more vague language to make it harder for regulators to pin them down.”