Legislators across the country are writing new laws to protect your data privacy. One tool in the toolbox could be “information fiduciary” rules. The basic idea is this: When you give your personal information to an online company in order to get a service, that company should have a duty to exercise loyalty and care in how it uses that information. Sounds good, right? We agree, subject to one major caveat: any such requirement should not replace other privacy protections.
Why We Need Information Fiduciary Rules
The law of “fiduciaries” is hundreds of years old. It arises from economic relationships based on asymmetrical power, such as when ordinary people entrust their personal information to skilled professionals (doctors, lawyers, and accountants particularly). In exchange for this trust, such professionals owe their customers a duty of loyalty, meaning they cannot use their customers’ information against their customers’ interests. They also owe a duty of care, meaning they must act competently and diligently to avoid harm to their customers. These duties are enforced by government licensing boards, and by customer lawsuits against fiduciaries who do wrong.
These long-established skilled professions have much in common with new kinds of online businesses that harvest and monetize their customers’ personal data. First, both have a direct contractual relationship with their customers. Second, both collect a great deal of personal information from their customers, which can be used against these customers. Third, both have one-sided power over their customers: online businesses can monitor their customers’ activities, but those customers don’t have reciprocal power.
Accordingly, several law professors have proposed adapting these venerable fiduciary rules to apply to online companies that collect personal data from their customers. New laws would define such companies as “information fiduciaries.”
What Information Fiduciary Rules Would Do
EFF supports legislation to create “information fiduciary” rules. While the devil is in the details, those rules might look something like this:
- If a business has a direct contractual relationship with a customer (such as an online terms-of-service agreement), the business would owe fiduciary duties to their customer as to the use, storage, and disclosure of the customer’s personal information. Covered entities would include search engines, ISPs, email providers, cloud storage services, and social media. Also covered would be online companies that track user activity across their own websites, and (through tracking tools) across other websites.
- To avoid an undue burden on small start-ups and noncommercial free software projects that often spur innovation, information fiduciary rules would exempt (wholly or partially) smaller entities. A company’s size would be defined by its revenue, or by its number of customers or employees. Care should be taken to make sure that these rules (like any others) do not inadvertently cement the power of the current technology giants.
- Covered entities would owe their customers a duty of loyalty, that is, to act in the best interests of their customers, without regard to the interests of the business. They would also owe a duty of care, that is, to act in the manner expected by a reasonable customer under the circumstances. These duties would apply regardless of whether the customer pays for the service. However, they would not bar a covered entity from earning a profit with their customers’ data.
- If a business violates one of these duties, the customer would be able to bring their own lawsuit against the business.
New information fiduciary rules would help address situations that have arisen in the past:
- If a company collects data for one purpose, it would not be allowed to use that data for an entirely different purpose, or transfer it to a third party that would do so. For example, the self-description you give a company in response to a personality quiz should not be used to try to influence how you vote. Similarly, the phone number you give a company to secure your personal information with two-factor authentication should not be used for targeted ads.
- If an online business gathers and stores its customers’ personal information, it would be required to take reasonable steps to secure that information and to promptly notify you if the information leaks or is stolen.
- An online business would not be allowed to secretly conduct human subject experiments on its customers that attempt to change their moods or behaviors.
The rules can also help in potential future situations as well:
- If a customer publicly criticizes an online business, the business would not be allowed to attempt to discredit the customer by publishing their personal information.
- If an online business provides travel directions to a customer, it would not be allowed to secretly route a customer past another business that paid for this routing.
- If a social media encourages its customers to vote, it would not be allowed to selectively do so based on whether a customer’s personal information indicates they will vote consistently with the company’s political preferences.
What Information Fiduciary Rules Would Not Do
While information fiduciary rules would be an important step forward, they are just one strand of the larger tapestry of data privacy legislation.
First, while information fiduciary rules are a good fit for “first-party” data miners that have a direct contractual relationship to their customers (such as social media companies and online vendors), these rules may be less applicable to “third-party” data miners that have no direct relationship to the people whose data they gather (such as credit agencies). The essence of the fiduciary relationship is the choice of a customer to entrust someone else with their personal information.
Second, while information fiduciary rules would limit how a first-party data miner may use, store, and disclose a customer’s personal information, these rules may have less to say about when and how a business may initially collect a customer’s personal information.
Third, there is uncertainty as to how information fiduciary rules will be applied in practice. Fiduciary rules are hundreds of years old, and have typically been applied to skilled professionals. But since the law of information fiduciaries does not yet exist, it remains unclear exactly what enforceable limits it will place on online businesses.
We should not put all of our eggs in this one basket. EFF supports information fiduciary rules. But these rules must not displace other data privacy rules that EFF also supports, such as opt-in consent to collect or share personal information, the “right to know” what personal information has been collected from you, and data portability. Companies subject to data fiduciary rules must follow these other data privacy rules, too.
Likewise, a federal information fiduciary statute must not preempt state laws that provide these other privacy safeguards. EFF has been sounding the alarm against federal legislation that preempts strong state data privacy laws—and that includes any federal law on information fiduciaries.