Opt-In Consent and DSARs in Democrat’s Internet Bill of Rights for Privacy

Democrats intend to push for sweeping changes to consumer privacy protections if they win the House of Representatives in November, according to several media sources this past week. The announcement over the weekend was followed up by yesterday’s news that Google+ would be shut down following a privacy breach that exposed the personal information of some users to more than 400 application developers, although Google says there is no evidence of misuse.

Rep. Ro Khanna (D-CA), who represents the people of the Silicon Valley area in the U.S. House of Representatives, recently released a draft of an Internet Bill of Rights that currently contains a list of 10 principles that could become the basis for a comprehensive federal privacy law next year if the Democrats control the House.

It was prepared at the direction of Rep. Nancy Pelosi (D-CA). According to the New York Times, Rep. Pelosi has even suggested that a new agency should be created to manage technology’s impact. This suggestion deviates from the opinion of many businesses, which would prefer to have the Federal Trade Commission (FTC) continue to enforce federal privacy law.

The published “Bill of Rights” includes data subject access rights (the right to access, correct, export and delete personal information), opt-in consent for the collection of data and third-party sharing, data security and net neutrality. The principles were developed in consultation with tech companies like Apple, Google and Facebook, as well as other people and organizations including the Center for Democracy and Technology.

Data Subject Access Rights (DSARs) are already a part of both the European Union (EU) General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CaCPA). They will likely be relatively uncontroversial except as they impact small businesses. California exempts businesses with less than $25 million in revenue or the personal information of less than 50,000 people annually. GDPR provides no exemption for small businesses to DSAR requests, requiring all organizations to provide citizens the ability to access, correct, delete and export their personal data.

Opt-in consent for data collection and sharing will be controversial. Businesses, for the most part, have been supporting a consumer right to opt-out of data sharing similar to the new California privacy law. However, some businesses are recognizing that consent and transparency are critical to building consumer trust around data. Charter Communications, for example, supported opt-in consent during the September 2018 hearing on consumer data privacy safeguards held by the U.S. Senate Committee on Commerce, Science and Transportation.

The Bill of Rights does not mention federal preemption, which is going to be another controversial aspect of any federal legislation on privacy. Businesses have been pushing for Congress to eliminate the prospect of a patchwork of 50 state laws regulating privacy since it could be costly, difficult to comply with and confusing for consumers.

The list follows the publication of several sets of principles for privacy regulation from business organizations as well the publication of a framework by Google. The National Telecommunications and Information Administration (NTIA) has independently released a set of high level goals and proposed privacy outcomes for public feedback. The National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce is also conducting public discussions on a voluntary privacy framework similar to the Cybersecurity Framework that it developed several years ago.

Here is the current draft of the Internet Bill of Rights from Rep. Khanna that was published by the media:

Set of Principles for an Internet Bill of Rights

The internet age and digital revolution have changed Americans’ way of life. As our lives and the U.S. economy are more tied to the internet, it is essential to provide Americans with basic protections online.

You should have the right:

(1) to have access to and knowledge of all collection and uses of personal data by companies;

(2) to opt-in consent to the collection of personal data by any party and to the sharing of personal data with a third party;

(3) where context appropriate and with a fair process, to obtain, correct or delete personal data controlled by any company and to have those requests honored by third parties;

(4) to have personal data secured and to be notified in a timely manner when a security breach or unauthorized access of personal data is discovered;

(5) to move all personal data from one network to the next;

(6) to access and use the internet without internet service providers blocking, throttling, engaging in paid prioritization or otherwise unfairly favoring content, applications, services or devices;

(7) to internet service without the collection of data that is unnecessary for providing the requested service absent opt-in consent;

(8) to have access to multiple viable, affordable internet platforms, services and providers with clear and transparent pricing;

(9) not to be unfairly discriminated against or exploited based on your personal data; and

(10) to have an entity that collects your personal data have reasonable business practices and accountability to protect your privacy.

EU GDPR
– GDPR Compliance
– Consent Management Software
– GDPR Data Mapping Software
– DSAR Portal
– GDPR Text

ePrivacy
– Cookie Scanner
– Cookie Banner Generator
– Cookie Consent Manager
– ePrivacy Regulation

California Consumer Privacy Act
– CCPA Summary
– CCPA vs GDPR
– CCPA Privacy Software
– CCPA Webinar

Other Blog Posts on Privacy Bills in the US House:

Information Transparency and Personal Data Control Act
New Privacy Bills: APPS Act and DATA Act of 2018
Highlights of the Secure and Protect Americans’ Data Act in U.S. House
Highlights of Browser Act to Protect Privacy in U.S. House
BROWSER Act and Privacy Discussed in House Communications Subcommittee Hearing
Privacy Focus of Last Week’s DCCP Subcommittee Hearing on Digital Advertising
House Subcommittee Asks FTC Commissioners About Consumer Privacy
Do Not Track Kids Act Back in Congress