As discussions around a comprehensive federal privacy bill continue, lawmakers have introduced a number of smaller, piecemeal bills that address consumer data privacy in varying ways.
Since the implementation of the European Union's General Data Protection Regulation (GDPR) [https://eugdpr.org/] and the recent passage of the California Consumer Privacy Act (CCPA), tech industry stakeholders and federal policy makers have developed a renewed interest in a possible federal privacy law. In fact, major industry groups, such as the US Chamber of Commerce and the Internet Association, have produced their own desired frameworks for a comprehensive privacy law—a notable development from a community that is historically averse to regulation of any sort. The conversation has prompted consistent news coverage, the aforementioned lobbying efforts, and numerous congressional hearings, which EDUCAUSE had previously recapped.1 Earlier this year, the Government Accountability Office (GAO) even issued a report calling on lawmakers to consider comprehensive consumer privacy legislation.2 And, of course, consumer advocacy groups are active in pursuing such a law at the federal level.
If industry, lawmakers, and consumer advocacy groups are on board with a federal privacy law, one might reasonably wonder why it hasn't happened yet. As is often the case in Washington, the devil is in the details. Republicans and industry groups generally envision a federal privacy law that would preempt the CCPA and other state laws with a single national statute; both groups are motivated to avoid a complicated patchwork of compliance issues that threaten to proliferate should more states follow in California's footsteps. Democrats and consumer advocacy groups, on the other hand, seem reluctant to support a federal privacy law if it would mean preempting stronger state protections.
However, there are some fundamental areas of agreement among lawmakers that have brought Republicans and Democrats to the table for initial discussions. The belief that the Federal Trade Commission (FTC) should be the primary enforcement agency presiding over consumer data privacy seems to transcend party lines; lawmakers also seem to like the idea of giving state attorneys general enforcement authority over a federal privacy law within their respective states. Additionally, policymakers in both parties seem willing to authorize the FTC to levy civil penalties for first-time offenses and confer traditional notice-and-comment rulemaking authority to the agency under section 533 of the Administrative Procedures Act. The FTC generally must follow a rulemaking procedure set forth in the Magnuson-Moss Warranty Act, which requires additional steps beyond those set forth in notice-and-comment rulemaking. Again, though, the devil is in the details. Some Republicans have indicated that while notice-and-comment rulemaking authority may be appropriate, what exactly the FTC is allowed to regulate requires deeper discussion.
While the Senate Commerce Committee has been actively working to produce a comprehensive and bipartisan data privacy bill discussion draft, an associated timeline for its release remains murky at best. While these negotiations continue, lawmakers have introduced other, piecemeal privacy bills. While the bills vary in scope, all would subject violators to FTC-imposed penalties and allow a state to bring civil action on behalf of its residents to obtain some form of relief.
- The American Data Dissemination Act was introduced on January 16, 2019, by Senator Marco Rubio (R-FL). This bill would direct the FTC to submit proposed regulations imposing privacy requirements on covered internet service providers to Congress within 18 months of the bill's enactment. If Congress fails to enact a law based on the recommendations, the FTC would promulgate a final rule based on the proposed regulations submitted to Congress.
- The Social Media Privacy Protection and Consumer Rights Act was introduced on January 17, 2019, by Senator Amy Klobuchar (D-MN). This bill would require online platforms, such as public websites, web applications, mobile applications, social networks, ad networks, mobile operating systems, and others, to inform the user (before the user creates an account or uses the platform) that their personal data will be collected and used by the operator and third parties. This is commonly referred to as "opt-in consent." The online platform must also offer the user a copy of the personal data the operator processed. Additionally, the bill requires the platform to notify a user within 72 hours of becoming aware of a breach.
- The Digital Accountability and Transparency to Advance Privacy Act was introduced on February 27, 2019, by Senator Catherine Cortez Masto (D-NV). This bill would require companies to notify and describe to consumers how data is collected, processed, stored, and disclosed. In addition, it would mandate that companies procure opt-in consent from users. Companies must also provide consumers with personal information collected upon request.
- The Commercial Facial Recognition Privacy Act was introduced March 14, 2019, by Senator Roy Blunt (R-MO). This bill would prohibit certain entities from using facial recognition technology to identify or track consumers without their consent.
- The Information Transparency and Personal Data Control Act was introduced on April 1, 2019, by Representative Suzan DelBene (D-WA). This bill would require any entity collecting, storing, processing, selling, or sharing sensitive data (defined as personal information encompassing genetic data, financial account information, geolocations, and information pertaining to religious beliefs and sexual orientation) to receive opt-in consent from the consumer in order to collect and use such data. Organizations must also provide consumers with the identity and contact information of entities collecting, processing, selling, and sharing sensitive personal information, third parties involved, and the purpose, storage period, and specific information shared.
- An update to the Children's Online Privacy Protection Act (COPPA) of 1998 was introduced on March 12, 2019, by Senator Edward Markey (D-MA). This bill would prohibit internet companies from collecting personal and location information from anyone under 13 years old without parental consent, and from anyone 13 to 15 years old without the user's consent.
The above measures have yet to receive any formal committee action, and they are unlikely to move as standalone bills. Rather, lawmakers are laying down markers to illustrate their priorities in the larger federal privacy legislation debate. EDUCAUSE will keep members apprised of any notable developments as lawmakers continue to search for a bipartisan path forward.
Notes
- Kathryn Branson, "Senate Commerce Committee Holds Hearing on Principles for a Federal Data Privacy Framework," Policy Spotlight (blog), EDUCAUSE Review, March 12, 2019. "Senate Commerce Committee Holds Hearing on Consumer Data Privacy," October 22, 2018. ↩
- Kathryn Branson, "GAO Recommends That Congress Consider Comprehensive Consumer Privacy Legislation," Policy Spotlight (blog), EDUCAUSE Review, March 12, 2019. ↩
Kathryn Branson is an associate with Ulman Public Policy.
© 2019 Kathryn Branson. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.