A think tank and a senator both just released draft legislation aimed at strengthening consumer data and privacy protections, but experts already fear they are too limited in scope or too vague.

The Center for Democracy and Technology (CDT) announced a privacy bill draft that preempts state privacy laws (like the California Consumer Privacy Act, or CCPA), grants consumers the right to data portability and deletion (similar to the European Union’s GDPR), and restricts tech companies from collecting personal data that is unnecessary to complete the transaction or provide the service.

The privacy bill advocates for the Federal Trade Commission (FTC) to enforce any potential privacy law and advises adding 100 additional personnel to undertake privacy enforcement and consumer data protection issues. It would also grant the FTC civil penalty authority to crack down on tech companies that violate the law.

During a press briefing announcing the legislation, the CDT’s Director of the Privacy and Data Project Michelle Richardson said CDT considers the draft to be a work in progress, and said she wants to “get it out there” to inspire conversation, debate and, she hopes, improvements to the proposed legislation.

Richardson’s apparently getting her wish. The proposal is already drawing criticism.

Allie Bohm, policy counsel at Public Knowledge, told InsideSources that while the CDT’s draft is very specific in some areas, there are “serious gaps.”

According to Bohm, the draft assumes that consumers agree to a company’s “Terms of Service” in order to receive the service or product from the company. But by adjusting language in the “Terms of Service,” tech companies could find ways around some of the privacy protections the bill highlights, like restrictions on sharing personal data with third parties.

For example, she said, if you have HIV and don’t want tech companies to know that but have to reveal that information to comply with the “Terms of Service,” you’re basically being forced to give up your data. This is predicated on the argument that there is so little competition in the tech industry right now — as Apple, Facebook and Google own and administer most of the apps and services consumers use — that consumers don’t have a legitimate way to “opt out” of certain services.

“I don’t want you to be able to sell my HIV status to third parties, so lack of a consent mechanism is a problem,” she said. “There are very large carve outs in the bill — so even when it has good ideas and protections, it has some serious gaps.”

The American Enterprise Institute’s Roslyn Layton, a visiting fellow specializing in tech policy issues, told InsideSources the draft’s focus on the FTC and defining its role as primary enforcer with civil penalty authority is good, as well as the state law preemption clause.

But she worries about the lack of a safe harbor for small to medium-sized companies “to provide assurance for [those] that abide by the law,” and notes that government entities are not covered in the bill even though they are “leading processors of [consumer] data.”

Meanwhile, Hawaii Democrat Sen. Brian Schatz’s (D-Hawaii) has released the  Data Care Act, which mimics the CDT’s privacy bill in terms of consumer data protection. It highlights rights to portability and deletion, but it also strictly prohibits companies from sharing or selling consumer data to third parties (unlike the CDT’s privacy bill, which allows sharing or “licensing” under certain conditions).

Bohm said Schatz’s bill could also be more specific, especially with regard to how companies should respond to a data breach.

Schatz’s bill only requires companies to notify consumers of a data breach depending on the size of the company and the sensitivity of the data.

“This list is too limited to be effective,” Bohm said. “In fact, under the bill, Facebook would not have had to notify end users about Cambridge Analytica. Furthermore, the bill does not address how to handle conflicts between companies’ duties to their end users and their duties to their shareholders.”

Daniel Castro, vice president of the Information Technology and Innovation Foundation (ITIF), told InsideSources in an email that the “narrower” scope of the CDT’s privacy bill doubles its impact, which is a “credit” to the draft proposal.

By getting drafts are on the table, these consumer-focused privacy bills are already ahead of the tech companies in setting the terms for a final privacy bill — even though experts say there’s room for much improvement.

“Putting together legislation is hard,” Bohm said. “I think [the CDT’s] bill falls short in some really critical ways — I just think they have too many exceptions.”

Follow Kate on Twitter