Last month, a major data breach at AT&T— one of the largest telecommunications companies in the U.S. — shed an important light on the shocking lack of privacy protections that are long overdue for Americans. Data breaches are all-too familiar with 400 million people globally affected by 1,800 data breaches in just 2022 alone. But the sheer scale of this latest breach - with phone and text records of nearly all of AT&T’s customers taken - starkly showcased the risks of these irresponsible practices.

How is this possible? Without a U.S. federal privacy law, companies are under little obligation to do the due diligence to prevent such catastrophes from happening. If strong guardrails were set in place, companies would have to comply with requirements like regular risk assessments, take preemptive action to mitigate any risks, minimize the amount of data they collect, and dispose of data when the purpose is served. As Mozilla has repeatedly argued, we think that strong privacy laws could also help to address the new threats to people’s privacy posed by the rise of generative AI.

The political tides have risen and fallen for federal privacy in recent years. In 2022, the American Data Privacy and Protection Act (ADPPA) had momentum but did not advance. Since then, public and bi-partisan interest in privacy protections has grown, according to Pew Research Center polling. Perhaps in response to this growing public pressure, this April, Senate Commerce Committee Chair Maria Cantwell and House Energy & Commerce Committee Chair Cathy McMorris Rodgers surprised even us with a comprehensive federal privacy draft called the American Privacy Rights Act (APRA), which was negotiated and marked up through the summer.

On Thursday July 11th, Senator Cantwell convened a full committee hearing on “The Need to Protect Americans’ Privacy and the AI Accelerant,” where Mozilla’s Director of Global Product Policy Udbhav Tiwari testified as a key witness alongside Amba Kak from AI Now, Professor Ryan Calo, and Morgan Reed, President, The App Association. Their testimony reiterated the importance of federal privacy as a bedrock of AI policy, and a necessity for protecting American consumers. You can watch the full hearing linked below:

Read Mozilla’s written testimony before the U.S. Senate Committee on Commerce, Science and Transportation

In the hearing, Senator Welch asked Mozilla a question about the most effective tool for consumers to exercise control over their data.

Udbhav responded, "The Mozilla Foundation has run campaigns over the last four to five months that have explicitly focused on this specific question. Both requiring companies to be transparent about the fact of whether they are using personal data in order to train their models and after that to ensure that users have complete control over this processing. Meaning both users should be able to consent for such behavior to take place, but also that they should be able to withdraw that consent whenever they like and opt-out of this processing," adding that,

"We believe the risks of the leakage of such private information drastically reduce if users are given an ability to both understand what their data is being used for and then make a choice.”

APRA’s sponsors seem intent on seeing federal privacy move over the finish line against the odds. Although we are sad to see crucial civil rights protections gutted from the House’s APRA draft, it doesn’t make the need for federal privacy any less urgent or the conversation less important. This was a crucial moment for U.S. civil society as well, particularly the civil rights and digital rights groups who have long championed the need to protect all Americans' privacy.

To discuss next steps, Mozilla convened the leading privacy advocates and experts engaged at the state and federal level in July. There was broad agreement on the urgency of transparency measures commonly found in a comprehensive law. Only then would consumers be able to track exactly how data fed into AI systems to have real-world consequences for their livelihoods — for example in the form of a denied loan or job application. The group also discussed the challenges ahead with federal conversations narrowing on topics like kids’ privacy, and noting that as more states adopted privacy laws, the more difficult it could become for states to accept a national standard.

So what’s next for the Privacy for All campaign to pass a federal privacy law in the US? Well, despite this summer’s glorious momentum we know from bitter experience that federal legislation is notoriously difficult to enact. However there’s a real need to beat the drum in support of strong privacy standards, especially in the face of a heavily-resourced industry lobby working tirelessly to negotiate down state privacy standards (and liability). This is why we will be thinking through how to best support the strength of state protections and our civil society partners leading that work, at least until the next window of opportunity for a federal law presents itself. Despite the long road ahead, we believe people should expect tech companies to respect their privacy, to handle the personal data that we entrust them with responsibly - and to do their utmost to stop that data from falling into the wrong hands. As the AT&T and thousands of other breaches show, there is a lot of work to do.

Sign the petition demanding a U.S. federal privacy law and to stay up to date on this work. Thanks for reading!


Relatearre ynhâld