The time has come for Congress to work on putting consumer data privacy protections into law.

For years, the wizards of the tech world have amazed all of us and helped fuel our economy with innovative products and services.  No one wants that to end.

At the same time, mounting controversies have undermined public trust in the ability and willingness of leading technology companies to regulate themselves and enforce real privacy safeguards for the collection and use of our digital data. 

The question is no longer whether we need a national law to protect consumers’ privacy.  The question is what shape that law should take.

The European Union and California have already acted. We need to examine whether they’ve gotten consumer privacy right and criticisms that their solutions pose an unintended challenge to innovation and competition.  For example, it’s fair to ask whether these new regulations would be too costly and cumbersome for innovative startups.

In seeking the right balance, Congress should focus on consumer choice. Effective rules must ensure transparency by addressing the ineffectiveness of current click-through privacy policies. They must also reset the unfair reality that consumers’ information may be collected, rented, or sold to outsiders but often can’t even be reviewed by consumers themselves.

Before his testimony to Congress earlier this year about the scandal involving the wholesale vacuuming of information by third-parties, Facebook CEO and founder Mark Zuckerberg and I discussed the concept of meaningful consumer consent. Such consent tends to happen when an internet consumer receives clear, immediately relevant information about an imminent decision. It does not occur when a consumer, needing something quickly, agrees to an unread privacy policy spanning dozens of pages in a manner of seconds with no further action required.

For those few who take time to sift through a lengthy privacy policy, whether on a smartphone app or website, it typically describes the rights and limits companies assign themselves to collect, use, transmit, and sell information about users. Good luck finding straightforward details about what actually happens with your data. The real world details typically aren’t made readily available. 

Many Americans have taken time to review their credit reports, detailing the information affecting access to financial services and which businesses have looked at their information. By contrast, how many Americans know the data points collected from their time online? 

Ironically, this lack of transparency bucks the trend in industry innovation. Most smartphones today don’t come with the thick instruction manuals of a decade ago. Instead, these user-friendly pocket computers are designed to be intuitive, teaching you as you operate them and offering online resources for complex operational questions as they become relevant. 

Technology companies, if sufficiently motivated by federal government engagement, should make privacy as simple as setting up a smartphone. A world in which your smartphone quickly tells you which apps or organizations have access to your location information, your web browser informs you who is watching your page with you, and a data company website tells you which entities have paid for access to your information no longer stretches the imagination. The ability to promptly end an arrangement outside a user’s comfort-zone should not be technically difficult either. 

This week, representatives of four large technology companies and two internet service providers will testify before the Senate Commerce Committee at our first privacy hearing about their current practices, ideas, concerns, and how they can complement efforts by Congress to improve consumer data privacy.  These well-known firms have diverse approaches to consumer data privacy, ranging from companies that do not monetize the consumer data they collect, to those whose business models rest principally on the ability to collect and monetize such data in exchange for providing free or reduced-cost services. 

The technology industry is not the first to collect sensitive information on consumers. Financial service providers, educational institutions, and health care providers all collect and maintain sensitive, regulated records. These models are informing current legislative efforts and underscore that a core function of digital privacy should be to ensure that consumers have the opportunity to enter arrangements based on informed decisions with entities they trust and fair warning about those who may engage in more questionable privacy practices.  

While controversies involving privacy, allegations of political bias, anti-competitive practices, and other matters have created significant public concern, digital privacy legislation is not—and should not be—retaliatory. Fair and appropriate digital data protections benefit consumers and responsible businesses. As we heard at the Facebook hearing, informed consumers may actually prefer tailored online advertising and the accompanying free services like e-mail over irrelevant and annoying pop-up ads or pay walls.

A successful consumer data privacy law will help consumers and reward organizations with little to hide, promote innovation, and force shady practitioners to clean up their act or fold up shop.