Glad to see that senator Richard Blumenthal reads my blog!
From me in June, 2010:
My effective regulation strategy is certification. Agree upon several tiers of privacy awareness through a consensus-building process. As an example, the lowest-tier level would include deleting data immediately from a database when it is deleted on the site (Facebook probably has photos you deleted years ago) and protecting personal data from employees. A higher tier would require all privacy-related changes to be opt-in.
“The goal of the proposed law is essentially to hold accountable the companies and entities that store personal information and personal data and to deter data breaches,” Senator Blumenthal said in a phone interview. ”While looking at past data breaches, I’ve been struck with how many are preventable.”
It’s actually a sharply different mechanism than certification, focusing on more basic security measures and enforcing them unilaterally. These are more security-focused than consumer privacy-focused; the equivalent of ensuring that a bank keeps your money in a very strong safe, but not actually mandating how much cash on hand it is required to carry.
I’d love to see privacy measures go even further, and the establishment of privacy certification authorities, legally bolstered by legislation, would be a good start. There are so many practices that are completely unregulated, like the example I used in my post: when you delete a photo on Facebook, the server keeps it. We could establish a certification structure in which this practice would put Facebook on the lowest tier unless they change the policy.