Yet another senator has released a draft of a privacy bill, and it echoes elements of the EU’s strict GDPR regulations, as well as California’s controversial privacy law. What it doesn’t do is resolve the question of whether consumers should be able to “opt out” of having their data shared by tech companies.
Sen. Catherine Cortez Masto (D-Nev.) unveiled the Digital Accountability and Transparency to Advance (DATA) Privacy Act last week, highlighting values like the right to deletion and clear, concise privacy policies that consumers can understand.
Most notably, the bill does not preempt state laws, but includes civil penalty authority for the Federal Trade Commission (FTC), a right to privacy regardless of race, gender, political or religious affiliation, and prohibits political ad targeting and price discrimination based on one of those “protected characteristics.”
The bill also does not exempt any government organizations (federal, state, or local) from the privacy requirements listed, and requires tech companies to provide a clear “opt out” option to consumers that allows them to tell tech companies not to share their data with third parties or use it for anything other than the service the tech company provides to the consumer.
Cortez Masto’s bill also includes a “safe harbor” provision for tech startups who make less than $25 million a year and collect data on less than 3,000 people, which would encourage innovation while still requiring the big companies to meet certain privacy requirements.
Companies that make more than $25 million a year and collect data on 3,000 or more people must appoint a “privacy protection officer,” who must “educate employees about compliance requirements; train employees involved in data processing; conduct regular, comprehensive audits to ensure compliance and make records of the audits available to enforcement authorities upon request; maintain updated, clear, and understandable records of all data security practices undertaken by the covered entity; serve as the point of contact between the covered entity and enforcement authorities; and advocate for policies and practices within the covered entity that promote individual privacy.”
But the key sticking point appears to be the “opt out” issue. Neither industry players, lawmakers, or tech experts seem to agree on the need for an “opt out” approach in a federal privacy law.
The Center for Democracy and Technology released its own privacy bill a few months ago, which does preempt state laws but does not include an “opt out” provision for consumers or a “safe harbor” provision for tech startups. The CDT bill allows sharing or “licensing” of consumer data under certain conditions.
Sen. Brian Schatz (D-Hawaii) also released a privacy bill draft a few months ago, the Data Care Act, and instead of an “opt out” provision, it strictly prohibits companies from sharing or selling consumer data to third parties.
CDT President Nuala O’Connor, who testified before the House Energy and Commerce Subcommittee on Consumer Protection and Commerce last week, said in her testimony that “notice and consent” practices do not serve consumers well.
In her view, a federal privacy law should move beyond “opt out” provisions by simply forbidding companies from certain data-sharing practices.
“Existing privacy regimes rely too heavily on the concept of notice and consent, placing an untenable burden on consumers and failing to rein in harmful data practices,” she said. “This status quo burdens individuals with navigating every notice, data policy, and setting, trying to make informed choices that align with their personal privacy interests. The sheer number of privacy policies, notices, and settings or opt-outs one would have to navigate is far beyond individuals’ cognitive and temporal limitations. It is one thing to ask an individual to manage the privacy settings on their mobile phone; it is another to tell them they must do the same management for each application, social network, and connected device they use.”
At a Senate privacy hearing last fall, industry leaders like AT&T said consumers “should be able to choose how their data is used,” but didn’t offer specifics as to what that might look like. Last week, tech industry lobbyists told the Senate they want a “stronger” privacy law than California’s, but again, weren’t specific.
Michelle Richardson, director of CDT’s Data and Privacy Project, told InsideSources she thinks the opt out provision is “fine to include, in that there should be some aspect of personal control here, the problem is that there are hundreds if not thousands of companies that touch your data, and it’s not reasonable to expect that people will be able to exercise that right. It’s going to be incredibly difficult. That’s why we try to move the conversation away from opt-out.”
She also wishes the bill offered more “concrete details.”
“A lot of the details are left to the FTC to decide, as to what’s appropriate, what’s reasonable [for tech companies],” she said. “It’s a little bit of a gamble to have the FTC make all of the decisions. We want to make sure Congress sets some baselines that are clear.”
Advocacy group Public Knowledge, on the other hand, praised the discrimination provisions but said the bill wasn’t adequately comprehensive.
“For example, it preserves an outdated distinction between sensitive and non-sensitive data, lacks requirements for companies to conduct privacy risk assessments for high-risk data processing, and, crucially, does not provide consumers with a private right of action to have their day in court individually and as a class to seek damages and injunctive relief for violations of their privacy,” Dylan Gilbert, policy fellow at Public Knowledge, said. “We look forward to working with Sen. Cortez Masto to protect consumer privacy through a more comprehensive bill.”
