Fragmented US privacy rules leave large data loopholes for Facebook and others
US privacy laws focus on informing consumers what's happening with their data; other countries specifically restrict data collection and analysis.

Facebook CEO Mark Zuckerberg’s Congressional testimony will discuss ways to keep people’s online data private, which I’m interested in as a privacy scholar. Facebook and other U.S. companies already follow more comprehensive privacy laws in other countries. But without comparable requirements at home, there’s little reason for them to protect U.S. consumers the same way.
Inform customers and secure data
U.S. privacy laws are mostly based on the Federal Trade Commission’s Fair Information Practice Principles, which recommend companies:
- tell customers their data practices,
- give people some choice about additional uses,
- provide people with access to information about them, and
- ensure the security of the data collected.
In some industries, there are regulations for handling what’s called “personally identifiable information.” Federal laws protect medical information, financial data and education-related records.
Online services and apps are barely regulated, though they must protect children, limit unsolicited email marketing and tell the public what they do with data they collect.
Online tracking and advertising is self-regulated: Industry associations set rules for their members. Data collection by emerging technologies, such as smart speakers or self-driving cars, is mostly unregulated. The FTC does investigate if companies are “unfair or deceptive,” but firms that prominently disclose what they do may avoid trouble.
Strong limits on data collection
Europe, by contrast, generally prohibits collecting and using personal data. Its General Data Protection Regulation, which takes effect on May 25, applies to all businesses and government agencies in European Union member countries – including U.S. companies offering services in Europe.
The GDPR gives six reasons for collecting personal data. But even then, any analysis must be closely related to the purpose for which the data was collected. For example, a fitness-tracking company couldn’t sell users’ exercise data to a health insurance company without additional consent. Companies that violate the GDPR may be fined up to 20 million euros, or 4 percent of the firm’s worldwide annual revenue.
Building on the GDPR, Europe’s forthcoming ePrivacy Regulation will likely require explicit individual consent before a company can track a person’s online activity.
Many other countries, including Mexico, Switzerland and Russia, have adopted comprehensive privacy regulations like the EU’s. Canada also broadly regulates how government agencies and private companies use data.
The advantage of comprehensive privacy protections is that they’re consistent across services and industries, even as new technologies emerge.
Florian Schaub conducts research on personal privacy. He has received funding from the National Science Foundation as part of the Usable Privacy Policy Project.
Read These Next
Tensions over Kashmir and a warming planet have placed the Indus Waters Treaty on life support
India has said it would suspend crucial treaty governing river flows in disputed Kashmir. Pakistan has…
‘Extraordinary claims require extraordinary evidence’ − an astronomer explains how much evidence sci
An astronomer breaks down 3 key components that allow researchers to make groundbreaking discoveries…
Florida, once considered a swing state, is firmly Republican – a social anthropologist explains what
The growth of alt-right activist groups and the state’s response to the COVID-19 pandemic are two…