Necessary features of strong privacy legislation

  1. Explicit Opt-In Consent (Not Opt-Out)

    • No data collection, sharing, or sale without clear, informed, affirmative consent
    • Pre-checked boxes and passive agreement (like "by continuing to use this site...") should be prohibited.
    • Consent must be granular — not bundled for all data types or purposes.

  2. Data Minimization

    • Limit data collection to only what is strictly necessary for the service provided.
    • Ban “just in case” data collection.
    • Require companies to justify every category of data collected.

  3. Right to Access, Delete ("Right to Be Forgotten"), and Correct Information

    • Individuals must be able to view all data collected about them — including inferred data, behavioral profiles, and third-party disclosures.
    • Individuals must have the ability to permanently delete their data from both the company’s systems and any third parties it was shared with.
    • Individuals must be able to correct inaccuracies in any data profile — including inferred or behavioral data.

  4. Right to Sue (Private Right of Action)

    • Individuals must be allowed to take companies to court for privacy violations. Without this, enforcement relies solely on underfunded government agencies.

  5. Prohibition on Data Collection of Minors A study published in Michigan Medicine revealed that two-thirds of apps used by preschool-aged children collected and shared persistent identifiers with third parties like Facebook, often without adequate disclosure or parental consent.

    • No behavioral tracking of children under 16 — regardless of parental consent.
    • Special restrictions for students, medical patients, or protected groups.

  6. Ban on “Pay for Privacy” Models: Privacy must be a default right, not a premium feature.

    • Companies should not be allowed to charge more or restrict access to core services based on whether a person agrees to tracking.
    • Privacy must be a default right, not a premium feature.

  7. Strict Limitations on Third-Party Sharing

    • No transfer, sale, or access by third parties without express consent for each use.
    • Include a duty to notify if data has been shared historically.

  8. Data Security & Breach Notification

    • Mandatory encryption, access controls, and prompt breach disclosure within 72 hours. Fines for negligence or failure to secure data.

  9. Independent Oversight & Enforcement

    • Create or empower an independent data protection agency.
    • Require annual audits and assessments for high-risk data practices.

  10. Ban on Dark Patterns

    • Prohibit deceptive UX tricks that nudge users to accept tracking (e.g., misleading buttons, hidden settings).
    • Require clear, equal-weighted choices.

  11. Algorithmic Transparency

    • Require companies to disclose how automated decisions are made, especially for high-stakes outcomes (credit, jobs, housing, insurance).
    • Allow users to opt out of automated profiling.

  12. No Government Workarounds

    • Prohibit the government from buying data from brokers to bypass warrant requirements or constitutional protections (as is currently done by law enforcement and the military).

  13. Sunset Clause for Retention: No indefinite retention of old location, call, or search data.

    • Require companies to automatically delete data after a set period unless actively needed — e.g., no indefinite retention of old location, call, or search data.