- Proposals include rights, duty and authority-based approaches
- Need for strong federal standard remains a topic of debate
Although members of Congress agree the U.S. has a dire need to protect citizens’ online privacy, the federal legislature still lacks a uniform approach, a comprehensive VIXIO analysis has shown.
There is a bipartisan, bicameral understanding that consumers’ online data needs to be protected.
Surveys show that 83 percent of voters believe Congress should make the adoption of a federal privacy standard a top or important priority in 2021.
This has led legislators, both at the state and federal level, to introduce numerous bills, but proposals filed by members of Congress still lack common ground on how to approach the protection of online privacy.
Following in the footsteps of the EU’s General Data Protection Regulation (GDPR), Senator Jerry Moran (R-KS) put forward the Consumer Data Privacy and Security Act, a rights-based approach that would protect Americans’ online data privacy through the creation of consumer rights and business obligations.
Moran’s bill would give consumers the right to access the information businesses collect, port that data to another provider, correct inaccuracies or request the deletion of their personal information.
The bill would establish business obligations, such as purpose-based processing, notice and consent requirements and storage limitations for sensitive personal information.
Although these provisions are very similar to those included in the European and Californian counterparts, Moran’s proposal sets out a more favorable approach for small businesses.
The bill exempts small businesses from the requirement to comply with requests for access and correction due to their resource-intensive nature and lays down that a business’ data security program must be commensurate to the size, complexity and resources of that entity, among other factors.
Another robust federal privacy bill was introduced by Senator Kirsten Gillibrand (D-NY).
Instead of creating GDPR-like consumer rights, the Data Protection Act would establish an independent federal Data Protection Agency (DPA), tasked with developing and enforcing privacy and data protection rules.
The DPA would be required to issue regulations identifying high-risk data practices and data processing acts that are likely to cause privacy harm or constitute an unlawful, unfair, deceptive, abusive or discriminatory act.
The bill would also require the DPA to establish the rights of individuals against data aggregators, including the right to access and correct, limit the processing of and request deletion of an individual’s personal data.
Data aggregators would need to be transparent about business practices, data collection limitations, processing and disclosure limitations, purpose specification and the legal basis for processing requirements.
The bill would transfer all privacy-related rulemaking and enforcement authorities to the new agency, including those currently exercised by the Federal Trade Commission (FTC).
By contrast, the Information Transparency and Personal Data Control Act, introduced by Representative Suzan DelBene (D-WA), would direct the FTC to make rules for the processing of online consumer data.
The rules must be set in line with the pervading view in Congress that individuals have the right to access and correct their personal data and that citizens expect that companies will collect, use, and disclose personal data in ways that are consistent with the context of collection, and that there are reasonable limits put on the collection and storage of personal data.
The rules must allow consumers to opt out of the collection, sale or use of personal information and require affirmative express opt-in consent for the use of sensitive personal information.
The bill would give the FTC and state attorneys general the power to enforce the law and would give the FTC extended jurisdiction over common carriers.
Similarly, the Mind Your Own Business Act, put forward by Senator Ron Wyden (D-OR), would also make the FTC the main privacy watchdog and require the agency to establish and enforce minimum privacy and cybersecurity standards.
That bill would also direct the FTC to make rules to implement and maintain a “Do Not Track” website that allows consumers to opt out of data sharing with one click.
Certain large companies and those that process a large amount of personal information would be required under the act to file annual data protection reports with the FTC.
The duty of care would require online service providers that collect data to reasonably secure individual identifying data and inform users of data breaches that involve sensitive information.
A duty of loyalty would prohibit the use of individual identifying data in ways that harm users, while the duty of confidentiality requires online providers to ensure that those duties extend to third parties when disclosing, selling, or sharing individual identifying data.
The remaining stumbling block
Since the introduction of the first privacy law proposals, legislators have settled a great deal of differences on how to approach a national privacy standard, but have so far failed to overcome two key stumbling blocks which effectively stopped federal bills from gaining ground in the last Congress.
Others believe that Congress should set the federal standard as a baseline on which states could build their own versions of law.
They argue, as laboratories of democracy, states can experiment and find the best solution for protecting privacy, while they can also adapt more promptly to new challenges.
The bills introduced by federal lawmakers so far indicate that legislators have not yet taken a consistent stand on which approach they wish to follow.
While Moran and DelBene propose a strong pre-emptive law, other initiatives would give states the opportunity to adopt stronger privacy protections.
At the same time, none of the bills would establish the private right of action, the other key obstacle that hindered federal bills from advancing in the last Congress.
The private right of action would allow citizens to bring court actions against businesses that allegedly violated their privacy rights.
Although the currently active bills seem to agree that enforcement of privacy rights should be placed in the hands of a federal agency or state attorneys general, it has to be noted that chief proponents of the private right of action, Representative Anna Eshoo and Senator Maria Cantwell, have not yet re-introduced their comprehensive privacy bills.
Even though members of Congress have been very active in developing and introducing privacy bills, so far none have moved forward in the legislative process.
Moran’s rights-based bill and Wyden’s opt-out website approach have not even managed to convince any senators to sign on as co-sponsors.
Gillibrand’s bill proposing a designated privacy agency has received slightly more support. Her Data Protection Act lists one, nonetheless significant, co-sponsor: Sherrod Brown (D-OH), chairman of the Senate Banking Committee.
On the other hand, Schatz’s duty-based proposal has been backed by 18 Democratic senators and DelBene’s bill is co-sponsored by 19 Democratic representatives, in addition to receiving the endorsement of leading industry participants.
Other federal law proposals
In addition to this gaggle of comprehensive privacy bills, there have been several other federal bills introduced since the beginning of the current Congress that would provide a certain level of privacy protection.
Senator Marsha Blackburn’s (R-TN) BROWSER Act would require communication and technology companies to clearly disclose their privacy policies and allow consumers to opt in or opt out of data collection depending on the sensitivity of the information.
The Data and Algorithm Transparency Agreement (DATA) Act introduced by Senator Rick Scott (R-FL) would impose notice and consent requirements on bigtech platforms, task the FTC with the enforcement of the act and create a private right of action.
Senator Amy Klobuchar’s (D-MN) Social Media Privacy Protection and Consumer Rights Act would require online platform operators and service providers to allow users to opt out of data collection and grant users access to the information collected about them.