Lines Drawn on New Data Privacy Bills
A second U.S. data privacy bill in as many months targets consumer protections while attempting to beef up enforcement of privacy rights.
The Consumer Online Privacy Rights Act would establish a new bureau within the Federal Trade Commission to enforce digital privacy rules. The proposed legislation also would give consumers greater control of their online personal data and provide greater protections by obligating companies to prevent privacy violations.
The legislation was introduced Tuesday (Nov. 26) by Sen. Maria Cantwell, D-Wash., the ranking Democrat on the Senate Commerce Committee.
Other provisions bar companies from concealing what they are doing with users’ personal information. The proposed legislation also allows states to approve their own privacy laws while maintaining consumers’ right to sue for privacy violations.
“Consumers deserve two things: privacy rights and a strong law to enforce them,” Cantwell said introducing the legislation. “They should be like your Miranda rights—clear as a bell as to what they are and what constitutes a violation.”
Privacy groups praised the legislation. “Exploitative data practices and black box algorithms often cause harm to marginalized communities, such as exacerbating discrimination in housing, employment, credit, or education,” said David Brody, senior fellow for privacy and technology at the Lawyers Committee for Civil Rights Under Law.
“Congress needs to act to stop data-driven discrimination and ensure that civil rights laws apply evenly to both the online and offline economies,” Brody added.
As pressure grows to rein in corporate use of private data, technology groups came out swinging against Cantwell’s bill.
“This legislation fails to strike the right balance between consumer privacy and commercial innovation,” countered Daniel Castro, vice president of the Washington-based Information Technology and Innovation Foundation (ITIF).
“It would severely restrict legitimate uses of consumer data, limiting the opportunities for companies to collect, use, and share data to innovate in the digital economy,” Castro added.
ITIF warned the privacy legislation would, for example, require companies to curtail data collection, “which would reduce opportunities for businesses to extract new value from existing data and develop new products and services,” Castro said.
A data privacy bill introduced last month by Sen. Ron Wyden, D-Ore., would impose penalties stiffer than current European rules while giving American consumers a “one-click” option to block companies from selling or sharing their personal information.
Wyden’s “Mind Your Own Business Act” would go further than the EU’s General Data Protection Regulation, with fines for corporate violators up to 4 percent of annual revenues and criminal penalties of up to 20 years for executives caught lying to authorities about misuse of personal data.
In addition, it would amend the Federal Trade Commission Act by tightening restrictions and imposing stiffer penalties on corporate violators. It also proposes tax penalties based on executive compensation.
The privacy legislation proposed this week “looks like a good step to provide a common privacy floor that could eliminate some of the major differences between states,” said Robert Cruz, senior director of information governance at Smarsh, a data archiving specialist based on Portland, Ore.
“In particular, the consent provisions for sharing data, the need to state the specific business purpose that data is collected for and the annual inspection of data protection controls are all areas where we see firms looking for a common set of rules to reconcile the various state jurisdictions.”