The increasing use of consumers’ personal data by businesses poses a privacy risk that should be addressed by Congress through comprehensive legislative action, according to a report from the Government Accountability Office released on Tuesday.
The GAO report—which summarizes the agency’s work on consumer privacy issues over the past decade—notes that even as the collection and use of Americans’ personal data has grown, consumers still remain largely unaware of how their data is used and “generally do not have the ability to stop the collection of their data, verify data accuracy or maintain privacy.”
The report cited the growing collection and use of consumer data in four key sectors—marketing, health care administration, higher education and criminal justice—where businesses “collect personal and transactional data to create consumer scores” that are then used “to predict how consumers will behave in the future.”
The opaqueness of these scores, including how they are used, creates a variety of risks for consumers, the report warns, including biased outcomes, inaccurate scores and differential treatment. GAO recommended that Congress consider appropriate protections for consumer scores outside the scope of existing federal laws, including “allowing consumers to view and correct data and to be informed of score uses and their potential effects.”
“No federal law expressly governs the creation, sale and use of consumer scores, and gaps may remain in federal consumer protections,” GAO warned.
The report also cited privacy and accuracy concerns about the use of facial recognition, noting that consumers are potentially unaware of the risks associated with the technology, including “loss of anonymity, lack of consent and performance differences between demographic groups, which could lead to misidentification or profiling.”
GAO, renewing recommendations that the agency previously made in a 2013 report, said that Congress should “strengthen the federal consumer privacy framework to reflect changes in technology and the marketplace.” This would entail expanding federal authority over internet privacy, since the lack of a federal privacy framework leaves consumers “with limited assurance that their privacy will be protected.”
“By enacting comprehensive legislative changes, Congress can help address long-standing challenges and create a framework that will address changing risks,” the report concluded.
The Federal Trade Commission—which the GAO report said “has the lead in overseeing internet privacy across all industries, with some exceptions”—voted in August to issue an Advanced Notice of Proposed Rulemaking requesting public comment on data security and commercial surveillance practices that are harmful to consumers. The notice comes as the FTC considers whether to issue rules that would safeguard consumer privacy in lieu of congressional action.
A bipartisan group of lawmakers introduced data privacy legislation in June outlining a federal framework for safeguarding consumers’ data. The American Data Privacy and Protection Act—spearheaded by Reps. Frank Pallone, D-N.J., and Cathy McMorris Rodgers, R-Wash., along with Sen. Roger Wicker, R-Miss.—passed the House Energy Commerce Committee in July, but Speaker Nancy Pelosi, D-Calif., released a statement in September raising concerns about the legislation preempting California’s data privacy law.