Legislators Introduce Bipartisan Digital-Privacy Bill That May Not Be Doomed

The American Data Privacy and Protection Act would mandate data minimization and let Americans opt out of targeted ads while preempting many state privacy laws.

A new bipartisan privacy bill offers a compromise along the lines of what many tech companies and even some privacy advocates have said we need to get something—anything—out of Congress and into statute: federal privacy protection that preempts most state privacy laws.

The American Data Privacy and Protection Act, announced Friday(Opens in a new window) by Reps. Frank Pallone, Jr. (D-N.J.), Cathy McMorris Rodgers (R-Wash.), and Sen. Roger Wicker, (R-Miss.), remixes many existing concepts and proposals; policy ingredients that other legislators have yet to turn into a recipe that can emerge from the Congressional kitchen.

As covered the bill’s 64-page draft (PDF(Opens in a new window)) and 10-page outline (PDF(Opens in a new window)), it would would require most companies to comply with data-minimization guidelines. That means they can’t collect, process, and hoard a wide variety of personal data—from financial details to stored communications to their activity at social and entertainment sites—for reasons unrelated to providing the product or service they offer.

The bill would apply higher standards to such especially sensitive items as Social Security numbers, geolocation records, biometric information, browsing history, and genetic data, in most cases requiring a person’s upfront permission.

The act would further require companies to operate along privacy-by-design principles and ban them from charging extra for any of the privacy rights granted by the bill. And it would require them to provide clear, plain-language documentation of how they collect, use, and monetize data—something that would be mandated more strictly by a bill announced in January.

The act would then grant customers a variety of opt-out rights, including a choice to decline most targeted advertising (the bill bans that when aimed at anybody under 17 years old, while a Democratic bill introduced in January would prohibit “surveillance advertising” for everybody). It would establish an individual right to data ownership and control that would let people see what data a company has collected about them, have it corrected, deleted, or exported to them for their own use, and veto the sale or transfer of their data.

Data brokers—called “third-party collecting entities” in the draft text—must register with the Federal Trade Commission, allow audits of their collection and use of data, and collectively honor “Do Not Collect” requests by individuals. This section appears to borrow heavily from a bipartisan data-broker bill introduced in February.

The bill would assign enforcement to the FTC, which today brings privacy cases under its authority(Opens in a new window) to investigate “unfair or deceptive acts or practices.” States could also bring cases under the law, but individual people could not for the law’s first four years and would then only be able to file suit for certain violations.

The act would preempt such state laws as the California Consumer Privacy Act but not those covering data breaches and employee, student, and medical privacy, among a few others. It also specifically waives Illinois laws on biometric and genetic privacy as well a 2020 California law(Opens in a new window) that lets people sue for damages when poor account-security practices at companies lead to breaches of their data.

The preemption part may be the bill’s trickiest’s section. Tech companies don’t want to operate under a patchwork of state statutes, and many market-minded Republicans want to avoid that as well. But many Democrats don’t want to shut down state attempts to do something when Congress has done nothing on privacy for so long and have their own bills(Opens in a new window) out or in the works that would leave state laws alone.

That’s a lot to consider in this new proposal. But one thing it doesn’t have much of is Congressional time before the midterm elections(Opens in a new window). The next chapter in this proposal might be one that privacy advocates have heard a lot: Wait ‘til next year.

Source