Chairwoman Chikowski, ranking member McMorris Rogers, members of the subcommittee.
Thank you for the opportunity to testify today.
My colleagues and I at the Center for Democracy and Technology are tremendously excited about the prospect of Federal privacy legislation.
We appreciate your leadership in taking on this challenging issue.
I've seen data over the last several decades have become full of jargon and overly complexified.
So I have one basic message today and that is notice and choice are no longer a choice any privacy legislation that merely cements the current status quo of the notice and consent model for personal data.
Is a missed opportunity.
Let me take a moment to demonstrate why that [UNKNOWN] is not working for individual consumers and companies.
If I can respectfully request the members on their staff to take out their phones, some of you already have them out I heard them ringing, and take a look at the homepage Open it up with whatever you use to open up your phone.
Mine is my fingerprint.
Not working.
Now look at your home page.
How many Apps do you have?
Have 262 apps on my phone.
I had 261 until Saturday night when the kids said mom, we want Chipotle for dinner, and I had to download again the Post Mates app.
So now it's 262.
The average person has around 80 according to current research.
You can call me an overachiever or just a working mom.
But for each of these 80 or so applications you have already given the company behind it your consent to use your personal data, and likely in a variety of ways.
For some of those apps your sharing your location data.
Others your financial data, your credit card numbers.
So of your apps have information about your physical activity, your health.
And other intimate information, even in real time.
Regardless of the types of data, you have received 80 notices, and 80 different consents have already been given.
Do you remember the personal data you agreed to consent to give?
And do you remember the purposes for which you shared it?
Do you have a good understanding of how the companies behind those apps and devices are going to use that information six weeks from now.
Six months fr or six years from now.
Now lets assume.
For the sake of this demonstration that each of those 80 companies has even just a modest number of information sharing agreements with third parties.
Back in 2015 which is the ancient times of the internet, the average smartphone app was already automatically sharing data with at least three companies, and three different parties.
You don't know those companies, you don't have a direct relationship with them.
And now they have your personal information.
Because you were given notice, and you consented.
And that means the average smart phone user has given consent for their data to be used by at least 240 different entities.
That doesn't reflect how information is already being shared by the company with vendors, corporate affiliates, business partners.
In reality the number is likely much higher.
And that's just what's on your phone.
That 240 number doesn't count for your other devices.
The devices in your daily life, in your house, in your car, your other online accounts.
Data initially collected in the non-digital world, loyalty programs, cameras, paper surveys, and public records.
Does that feel like you have control over your personal information?
But you gave your consent at some point.
Clearly it's time for a change.
Some will say that the way to fix this problem is just make more privacy policies.
more notices.
Make them clear so consumers can better understand those decisions.
More check boxes will provide the appearance of choice.
But not real options for consumers.
Pursuing legislation like this just doubles down on our current system of notice and choice and further burdens already busy consumers.
There is fundamentally no meaningful way for people to make informed, timely decisions about the many different data-collectors and processors with whom we interact every day.
Instead the goal should be to define our digital civil rights.
What reasonable behavior can we expect from companies that hold our data?
What rights do we have that are so precious they cannot be signed away?
The center for democracy and technology has drafted comprehensive legislation that is already available and has been shared with your staff.
I am happy to share, answer questions about it today.
But most importantly our bill and any meaningful privacy legislation must first prohibit unfair data practises, particularly the repurposing or secondary use of sensitive data, with carefully scoped exceptions.
Two, prevent data driven discrimination and civil rights abuses.
Three, provide robust and rigorous enforcement.
Reasonable data security practices and individual control rights, such as the right to access, correct and delete your data are obviously essential.
Enacting clear, comprehensive rules will facilitate trust and cement America's economic and ethical leadership.
On technology.
Now is the time for real change.
You have the opportunity to shape a new paradigm for data use, and you have the support of the majority of Americans to do so.
Thank you.
