Your data, your control: now’s the time for strong federal privacy legislation


Published on June 13, 2019

At Dropbox, we believe that everyone should control their personal information. This commitment to fundamental privacy rights is reflected in our company’s values and practices. It should also be reflected in US law. That’s why we’ve joined other cloud companies in forming the Enterprise Cloud Coalition, a chorus of voices calling on Congress to swiftly pass federal privacy legislation.

We’re at a critical moment in the history of the internet. The decisions we make today will affect how Americans interact with each other online—and how their privacy is protected—for decades to come. Congress needs to act boldly and thoughtfully now to implement privacy legislation that will work for all Americans.

Being worthy of trust is our top company value. Since we don’t make money from advertising, we don’t make any compromises in our commitments to our users and their privacy. We’ve invested heavily in security and privacy programs that keep this data safe, and we respect our users’ rights to access, correct, delete, and move their data. These rights don’t vary by geography—we provide the same privacy protections wherever in the world you are.

Now is the time to codify privacy rights in federal law. Congress won’t be building from scratch. The Federal Trade Commission has a long history of enforcing privacy rules. Strong privacy and data breach laws are in place at the state level. And strong federal laws already protect healthcare data, financial information, and children’s privacy. But as US states pass potentially conflicting laws, it’s time to create a single, high federal standard that protects privacy for all users across the country and in every segment of the economy.

We bring a unique perspective to this debate as a cloud provider that serves both enterprises and consumers at scale. As we work with Congress to pass federal privacy legislation that protects our users, here are some of the most important things we think Congress should consider:

  • Congress must enshrine strong privacy rights in federal law. The right to transparency in how your data is used and the rights to access, correct, delete, and port your data and to control its use should be the law of the land. 
  • Companies should be required to invest in building a privacy program that ensures they are responsibly handling personal data rather than solely putting the onus on their users to read (and understand) privacy policies and how to pursue their rights.
  • Federal law must set a single privacy standard for the country. A federal law that preempts state privacy laws need not—and should not—water down privacy standards. It instead should establish a single, high standard that applies nationwide. Companies, especially small startups, need a single standard to build a compliance program that protects all users. A patchwork of different laws at the state level only benefits the largest incumbents that can employ lawyers in every state. 
  • Privacy laws also must be enforced, and the FTC needs additional resources to do so effectively. Congress should provide targeted rule-making authority to the FTC to ensure it can adapt to a rapidly changing landscape. And the FTC also should have civil penalty authority to punish wrongdoing when it finds it.

Time is of the essence. We call on Congress to swiftly pass a federal privacy law to protect the privacy rights of users.