In 2018, then-California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA), enhancing consumer privacy rights and protections. The CCPA stiffens penalties for companies if personal data that they hold are disclosed or stolen, prompting debate about how privacy should be regulated, and what level of government—state or federal—should be responsible for doing so.
Caltech undergraduate Rona Yu, a junior studying computer science in the Division of Engineering and Applied Science, has embarked on a yearlong project with Morgan Kousser, professor of history and social science, to examine the issue. In addition to submitting formal recommendations to the Federal Trade Commission as part of its comment process as it considers new privacy regulations, Yu will deliver a seminar at Caltech on June 3 that is open to the public. Recently, Yu answered a few questions about her project and why privacy is so important.
What got you interested in the issue of privacy?
Last spring, UCLA professor Adam Winkler, who is a constitutional lawyer, came to campus and gave a talk through the Caltech Y. His talk addressed the constitutional rights of businesses, but didn't really cover tech companies, which are of interest to me, so I reached out to him to discuss it further. That summer, California enacted the CCPA, which gained a lot of media attention because big tech companies in the U.S. are concerned about its implications and the possible economic effects of having one state with drastically different privacy regulations than all the other states. The CCPA triggered the Federal Trade Commission to call for comments and hold a series of privacy hearings. Companies, academic lawyers, and individuals—like me—started researching how to actually draft a national privacy law.
How are you researching this topic?
My first term, I just started off with a reading course on a specific piece of legislation for general Institute credit. Over time, it developed into a larger-scale, long-term project that actually satisfied my Caltech humanities requirements. By my second term, I had started thinking about the broader question: "What should the nation be doing, right now, to draft a privacy regulation?" To that end, I've written a paper that covers the points that new privacy legislation should be prioritizing, the potential unintended consequences of the legislation that has been proposed, and other smaller things that I think are going to become larger issues. I then prepared a document describing my findings that I will submit to the Federal Trade Commission.
Do you advocate a national strategy to legislate privacy rules, or more of a state-by-state approach?
I'm actually advocating for a kind of mixture of the two. I'm advocating for a national approach to the most sensitive kinds of information; geolocation data, for example, should have minimal federal standards. But because technology is evolving so quickly and because national regulations are kind of bureaucratic and take a while to pass once they have been proposed, I think states should be able to experiment a little bit on their own and they should not be completely preempted from developing state-based regulations.
How has this made you think about your own privacy online?
One day I was clicking around on my Facebook page, and I discovered that, under "settings," there was a list of the companies that have your contact information and a list of your interests and other personal information. When I looked at mine, I found that there were a bunch of third parties I'd never heard of who had purchased information about me, but there was no way to easily find out exactly what they had purchased. Facebook was just saying that it's likely they'd given out my email or phone number, but they weren't really transparent about it. I guess, for me, that was my first sign that I didn't know where my own data were.
Since then, I've started thinking about how this lack of transparency could lead to increasingly serious downstream consequences that people don't really realize or discuss. Could insurance companies discriminate based on pre-existing health conditions predicted from social media activity patterns? Could companies target individuals who seem depressed and more prone to risky economic decisions? Could employers advertise jobs along gender stereotypes?
What message about privacy would you like to convey to your peers, particularly those who are getting ready to take jobs in the tech industry?
I would advise them to keep track of what is going on in policy and to know that tech policy does need people who have the technical background to understand what is actually happening with the data. I think the most effective legislation is going to understand both the technical and the policy aspect of things. A lot of the students here have the right background to make a big impact on policy, but they often aren't really aware of what's going on in the political sphere. It's important, and I would advise them to learn more about it.