Two New Privacy Bills Proposed in Congress

While the eyes of the privacy industry have recently been focused on the legislative developments at the state level and the requirements of the California Consumer Privacy Act (CCPA), we are also closely following potential legislative developments at the federal law.  A comprehensive federal privacy bill, especially if it preempts legislation at the state level, will have a transformative effect on the U.S. privacy landscape akin to the GDPR and the CCPA.

Below, we discuss two new notable proposals for a federal privacy bill:  Mind Your Own Business Act by Senator Ron Wyden, D-Ore. and the Augmenting Compatibility and Competition by Enabling Services Switching Act proposed by Senators Mark Warren (D-Va.), Richard Blumenthal (D-Conn.), and Josh Hawley (R-Mo.).

By way of background, federal lawmakers proposed at least eight different privacy bills over the last two years and conducted several hearings on the topic.  According to a report published by the International Association of Privacy Professionals (IAPP), there is an emerging consensus among the legislators regarding the value, efficiency, and reduction of confusion that would be brought by harmonizing the fragmented landscape of state privacy and data protection regulations. The most common provisions proposed in the draft legislation include a right of access, right of rectification, right to delete personal data, opt-in consent, and data breach notifications. A number of bills require some form of privacy or data protection risk assessments.  The major points of disagreement in the debate over federal privacy bill, which seem to be split on partisan lines, remain the issues of preemption and private right of action.

The Mind Your Own Business Act, which builds on the Senator Wyden’s 2018 draft Consumer Data Protection Act, would expand the Federal Trade Commission’s (FTC) staff and empower it to establish minimum privacy and cybersecurity standards as well as issue fines up to 4% of annual revenue on the first offense for companies and 10-20 year criminal penalties for senior executives for knowingly lying to the FTC.

It would create a national Do Not Track system which lets consumers stop companies from tracking them on the web, selling or sharing their data, or targeting advertisements based on their personal information. Companies that wish to condition products or services on the sale or sharing of consumer data would be required to offer a similar privacy-friendly version of their product for which they can charge a reasonable fee, which would be waived for low-income consumers. In addition, the Act would give consumers the right of access and rectification of their personal information, and require companies to assess consumer data processing algorithms for accuracy, fairness, bias, discrimination, privacy, and security.

The Augmenting Compatibility and Competition by Enabling Services Switching Act proposed by Senators Mark Warner (D-Va), Richard Blumenthal (D-Conn.), and Josh Hawley (R-Mo.) takes a less comprehensive approach.  Rather, it would require social media platforms to make user data portable and allow consumers to transfer their data (including profile information, friends lists, etc.) between  companies. (Notably, the right to data portability is the least common right among the existing federal proposals).  In addition, the bill would require social platforms with over 100 million U.S. monthly active subscribers to make their services interoperable with other platforms. According to Senator Warner, one of the bill’s sponsors, the aim of these requirements is to promote competition in the social media industry, the same way number portability increased competition in the cell phone industry.  The proposed law would also consumers to designate a third-party service to manage their privacy and account setting.

How close are we to have any of these proposals enacted into law? Speaking at a recent privacy conference, a number of former government officials who worked on U.S. privacy for the Obama Administration cautioned that a federal privacy legislation is likely some time away but noted that a proposed ballot measure for a new California privacy legislation (already dubbed “CCPA 2.0”) as well as general public appetite for privacy regulation might expedite the timeline.

Clarip will continue to closely monitor and analyze the proposed federal legislation and developments surrounding a potential federal privacy bill and update our readers in this blog.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653