A new bipartisan privacy law offers a compromise, echoing what many tech companies and even some privacy advocates have said, we need to get something — everything — out of Congress and enshrined in law: federal privacy that preempts most state privacy laws.
The American Data Privacy and Protection Act was announced on Friday(Opens in a new window) by Reps. Frank Pallone, Jr. (DN.J.), Cathy McMorris Rodgers (R-Wash.) and Sen. Roger Wicker, (R-Miss.), remixes many existing concepts and suggestions; political ingredients that other lawmakers have yet to turn into a recipe that can emerge from the kitchens of Congress.
Like the 64-page draft law (PDF(Opens in a new window)) and 10-page outline (PDF(Opens in a new window)), it would require most organizations to comply with data minimization policies. This means that they cannot collect, process and hoard a wide range of personal data – from financial data to stored communications to their activities on social and entertainment sites – for reasons unrelated to providing the products or services they offer.
The bill would apply higher standards to particularly sensitive items such as social security numbers, geolocation records, biometric information, browsing history and genetic data, and in most cases would require an individual’s prior approval.
The law would also require companies to comply with privacy principles and prohibit them from charging additional fees for the privacy rights granted by the bill. And it would require them to provide clear, easy-to-understand documentation on how they collect, use and monetize data — something that would be made more stringent by a bill announced in January.
The law would then give customers a variety of opt-out rights, including the ability to opt-out of targeted advertising (the law prohibits this if it’s aimed at anyone under the age of 17, while a Democratic law introduced in January bans “surveillance advertising.” would all). It would create an individual right to data ownership and control that would allow people to see what data a company has collected about them, correct it, delete it, or export it to them for their own use, and have it sold or to refuse the transfer of their data.
Data brokers — referred to in the draft text as “third-party collectors” — must register with the Federal Trade Commission, allow audits of their collection and use of data, and collectively comply with individuals’ “Do Not Collect” requests. This section appears to lean heavily from a bipartisan data broker bill introduced in February.
The bill would assign enforcement to the FTC, which brings privacy cases under its authority today(Opens in a new window) to investigate “unfair or deceptive acts or practices.” States could also bring cases under the law, but individuals could not do so for the first four years of the law and could then only file suits for specific violations.
Recommended by our editors
The law would pre-empt state laws like the California Consumer Privacy Act, but not those that address data breaches and the privacy of employees, students and doctors, among other things. It also expressly waives the Illinois biometric and genetic privacy laws and a 2020 California law(Opens in a new window) which allows people to sue for damages when poor account security practices at companies lead to their data breaches.
The preemption portion is possibly the most difficult section of the bill. Tech companies don’t want to operate under a patchwork of state laws, and many pro-market Republicans want to avoid that, too. But many Democrats don’t want to stop government attempts to do something when Congress has done nothing to protect privacy for so long and has bills of its own(Opens in a new window) out or in the works that state laws would leave alone.
That’s a lot to consider with this new proposal. But one thing it doesn’t get much time from is Congressional time before the midterm elections(Opens in a new window). The next chapter in this proposal could be one that privacy advocates have heard many times: wait until next year.
Get our best stories!
Sign up for What’s new now to get our headlines delivered to your inbox every morning.