A budding bipartisan movement toward establishing a federal data privacy bill began to take shape about two years ago, but ended up being put on pause due to the combination of the coronavirus pandemic and an especially contentious election year. With the effects of both of those things subsiding, Congress has begun to take the subject up again.
A 2018 bill introduced by Sen. Amy Klobuchar (D-MN) that has Republican support has been put back in front of the Senate, and its chances of advancing may have improved given that control of Congress has shifted to the Democrats. One of the highlights of the bill is a requirement that tech platforms allow users to opt out of data collection and tracking, but it would also allow them to deny these users service.
Proposed data privacy bill contains mixed bag of terms
The Social Media Privacy Protection and Consumer Rights Act is sponsored by Klobuchar and Joe Manchin (D-WV), and draws bipartisan support from John Kennedy (R-LA) and Richard Burr (R-NC). However, the data privacy bill stalled out in 2019 in part because it failed to draw a significant amount of additional Republican support. There are no strong indications that the political right will be any more interested in it this time, but that may now be irrelevant as the Democrats have a window of a year and a half in which to pass it while having an assured hold on the House and Senate.
One of the key terms of the data privacy bill is that platforms write their terms of service in “easily accessible language” that can be readily understood by the average person. End users must also be given the ability to opt out of data collection and tracking; however, platforms would in turn be allowed to deny service to users that opt out. The bill allows providers to disallow both “certain services” or “complete access” in cases where opting out creates “inoperability” in the platform.
The data privacy bill would provide some enhanced rights and protections to those that do opt to participate, however. The bill requires that users be notified of a data breach within 72 hours, and the breach notification must be accompanied by a full copy of the data that the service has collected along with links to request that data be deleted. The bill also requires services to delete the collected data of closed accounts within 30 days unless they are compelled to hold onto it for some sort of legal reason.
Platforms would also be required to maintain a “privacy or security program,” something of an odd wording as one would expect responsible platforms to have both of these things. But the data privacy bill specifies that the program must detail how the platform uses collected personal data, how it addresses expected security risks created by introduction of any new products or services, and detail the access that both internal employees and contractors have to collected personal data. Users would also have to be notified when new products are introduced to the platform and given the choice to opt out of them. These programs would have to be audited at least once every two years.
Enforcement would be turned over to the Federal Trade Commission (FTC), using existing “unfair or deceptive acts or practices” laws. Non-profit organizations would also be subject to the terms of the new data privacy bill. And state residents would be able to seek restitution via a civil action brought by the state attorney general. The bill would also not supersede existing state data privacy laws.
Consumer protection may be limited
The proposed data privacy bill does not go nearly as far as something like the EU’s General Data Protection Regulation (GDPR) in terms of consumer protections, and some privacy advocates are pointing out that a system focused on opting out may be untenable. The bill appears to focus on services in which a user is logged into an account, but the tech platforms also provide services that collect protected data without requiring a login. Google’s search bar and YouTube are two primary examples, and Facebook is able to build profiles on anyone visiting any unrelated website that incorporates its plugins.
The “opt out” approach is opposite the direction Apple has gone with its recent privacy changes introduced in iOS 14.5. Apple’s “opt in” system requires the end user to be notified of data collection for personalized ad tracking when they download an app, and presented with a prompt to opt in. The app developer is not allowed to restrict or deny service to users that opt out. Customers relying on an “opt out” system have to first give their personal data over to the platform, then trust that it will be handled and removed appropriately and in a timely manner.
Though the proposed data privacy bill is far from addressing all of the issues on the table, identity management expert Alexa Slinger of OneLogin notes that the data breach requirements would substantially improve at least one area of major consumer harm: “According to an Audit Analytics report, Trends in Cybersecurity Breach Disclosures, it takes an average of 108 days before companies discover a breach, and another 49 days to disclose the breach to consumers. This leaves buyers unknowingly at risk to further exploitation of their data, and companies subject to detrimental costs and penalties to their business. It’s in both the consumer and company’s best interest to implement standards, processes and systems to prevent breaches and protect valuable user data.”