Internet companies support a federal, economy-wide privacy law that provides consumers meaningful control and the ability to access, correct, delete, and download data they provide to companies. Americans should have consistent experiences and expectations across state lines and industries – regardless of where they live or the type of company they interact with. IA supports a national privacy framework that is consistent nationwide, proportional, flexible, and encourages companies to act as good stewards of the personal information provided to them by individuals.
As policymakers and stakeholders work on an American approach to privacy, we must ensure that a national privacy framework:
Protects individuals’ personal information and fosters trust by enabling individuals to understand their rights regarding how personal information is collected, used, and shared.
Meets individuals’ reasonable expectations with respect to how the personal information they provide companies is collected, used, and shared.
Promotes innovation and economic growth, enabling online services to create jobs and support our economy.
Demonstrates U.S. leadership in innovation and tech policy globally.
Is mindful of the impact of regulation on small- and medium-sized companies.
Applies consistently across all corporate entities, to the extent they are not already regulated at the federal level.
Internet Association Privacy Principles
These privacy principles aim to protect an individual’s personal information, which we define as any information capable of identifying a specific individual or a device that belongs to that individual.
-
A national privacy framework should give individuals the ability to know whether and how personal information they provide to companies is used and shared with other entities, and if personal information is shared, the categories of entities with whom it is shared, and the purposes for which it is shared.
-
Individuals should have meaningful controls over how personal information they provide to companies is collected, used, and shared, except where that information is necessary for the basic operation of the business or when doing so could lead to a violation of the law.
-
Individuals should have reasonable access to the personal information they provide to companies. Personal information may be processed, aggregated, and analyzed to enable companies to provide services to individuals. Safeguards should be included to ensure that giving an individual the ability to access their personal information does not unreasonably interfere with other individuals’ privacy, safety, or security, or a company’s business operations.
-
Individuals should have the ability to correct the personal information they provide to companies, except where companies have a legitimate need or legal obligation to maintain it.
-
Individuals should have the ability to request the deletion of the personal information they provide to companies where that information is no longer necessary to provide the services, except where companies have a legitimate need or legal obligation to maintain it.
-
Individuals should have the ability to obtain the personal information they have provided to one company and provide it to another company that provides a similar service for which the information is necessary.
The adoption of the principles identified above would enhance individuals’ personal privacy and their ability to trust that companies place appropriate limits on the use of personal information. To ensure the effectiveness of a national privacy framework, these principles must be balanced against: (1) competing individual rights, including freedom of speech and expression; (2) other parties’ privacy interests; (3) data security interests; (4) companies’ needs to protect against fraud or other unlawful activity, or individual safety; (5) companies’ requirements to comply with valid law enforcement requests or judicial proceedings; (6) whether the exercise of the rights afforded individuals are unduly burdensome or excessive in specific instances; and (7) whether individuals’ exercise of their rights would require companies to collect or process additional personal information about that individual.