US Congress proposes comprehensive federal data privacy legislation—finally

The United States might be the only country of its size—both in economy and population—to lack a comprehensive data privacy law protecting its citizens’ online lives.

That could change this year.

Never-ending cybersecurity breaches, recently-enacted international privacy laws, public outrage, and crisis after crisis from the world’s largest social media company have pushed US Senators and Representatives into rarely-charted territory: regulation.

Before Congressmembers’ desks are at least four federal bills that would change how companies handle and protect Americans’ private data. The bills seek better user privacy through increased transparency, oversight, fines, and liability, and, in the case of one bill, the possibility of jail time for dishonest tech executives.

Several US states are also considering comprehensive data privacy bills, taking inspiration from California, which passed its own law last year. If those state laws pass, a new wrinkle will be added to the broader country-wide debate: Should state privacy protections be respected or should one federal law supersede those rules?

This month, Malwarebytes Labs launched its limited blog series about data privacy and cybersecurity laws. In this second blog in the series, we explore five federal data privacy bills.

How we got here

For decades, Congress regulated data privacy based on single, sector-specific issues. Rather than writing laws to protect all types of data, they instead wrote laws to combat individual crises.

In the late 80s, that crisis was a Supreme Court nominee’s video rental history being leaked to the press, resulting in the Video Privacy Protection Act. In the late 90s, that crisis was the potential targeting of children online, resulting in the Children’s Online Privacy Protection Act. In the mid-2000s, the kidnapping and murder of a Kansas teenager prompted lawmakers to discuss lowering protections on GPS data held by cell phone providers. (The proposed bill failed passage multiple times.)

This reactive approach is just how Congress works, said Michelle Richardson, director of the data and privacy project at Center for Democracy and Technology (CDT).

“This country has generally allowed companies to do their thing until something goes quite wrong,” Richardson said. “It has to get worse before the US and its decision-makers and its cowboy personality feel ready to intervene.”

Today, Congress is again ready to intervene. The crisis at hand is two-fold.

First, data breaches of Yahoo, Uber, Equifax, Marriot, Target, the Sony PlayStation Network, Facebook, Anthem, JPMorgan Chase, and many more have resulted in Americans’ personally identifiable information being stolen or accessed by cybercriminals. This PII includes names, Social Security numbers, credit card numbers, passport numbers, dates of birth, account passwords, physical and email addresses, and even employment histories.

Second, even when a company hasn’t suffered a breach, Americans’ personal data has been misused or left astray. The FBI searched private company DNA databases. A period-tracking app shared its users’ pregnancy decisions and menstrual tracking information with Facebook. And political beliefs were reaped in an effort to sway a US presidential election.

Congress has concluded that user privacy can no longer be solely entrusted to America’s technology companies.

“The digital space can’t keep operating like the Wild West at the expense of our privacy,” said Amy Klobuchar, Democratic Senator of Minnesota and presidential candidate.

Data privacy legislation has huge support outside of Capitol Hill, too—from the public. Richardson said that, thanks to the work of researchers, journalists, and civil liberties advocates, the public better understands how their data moves from company to company.

“We don’t give nearly enough credit to civil media [outlets] and civil society [groups] for the research they’ve done into data practices and for giving people cold, hard facts about how their data is collected,” Richardson said.

That research has exposed not just personal data misuse, but also corporate irresponsibility.

Last year, Reuters showed that Facebook failed to fulfill its promise to control the wildfire-like spread of hate speech on its platform in Myanmar. The Intercept exposed Google’s plans to build a censored version of its online search tool in China, resulting in several employee departures and renewed questions about Google’s removal of its “Don’t Be Evil” tagline. ACLU showcased the failures in Amazon’s facial recognition software, revealing that the technology falsely matched 28 members of Congress with mugshots of arrestees.

Some US states have already responded.

Last year, Vermont passed a law regulating data brokers, and California passed its California Consumer Privacy Act. The law gives Californians the right to know which data is collected on them, whether that data is sold, the option to opt out of those sales, and the right to access that data. The law will take effect at the start of 2020.

In the meantime, other states are aiming to follow suit. Washington, Utah, and New York legislatures are all considering new laws that could give their residents better access and control to the information that companies collect on them.

International data privacy law is even further ahead.

Last year, the European Union successfully completed its effort to pull together the data privacy laws of its 28 member-states into one cohesive package. The General Data Protection Regulation came into effect on May 25, 2018, and since then, it has produced lawsuits against Facebook and a record fine out of France against Google.

At home and abroad, regulation is in the air.

The proposals

Since last April, multiple US Senators have tried to take on the mantle of the public’s chief data privacy protector. Some tried to show their commitment to data privacy by asking Facebook CEO Mark Zuckerberg pointed questions during his Congressional testimony regarding the Cambridge Analytica scandal. One Senator—and presidential candidate—made a direct public appeal to break up Amazon, Google, and Facebook.

But in putting actual ideas onto paper, four Senators have emerged as frontrunners in America’s data privacy debate. Senators Klobuchar, Ron Wyden of Oregon, Marco Rubio of Florida, and Brian Schatz of Hawaii have directly sponsored individual, separate bills to protect Americans from opaque and unfair data collection.

Google, Facebook, Amazon, Apple, Microsoft, Yahoo, Uber, Netflix, and countless others could be affected by these proposals.

The bills ask for essentially the same thing: tighter controls on user data. Consequences often include higher fines from the Federal Trade Commission (FTC), which currently serves as the country’s primary data misuse regulator.

Sen. Klobuchar’s bill—the first of the four to be formally introduced in April 2018—would require certain companies to write their terms of service agreements in “language that is clear, concise, and well-organized.” It would also require companies to give users the right to access data collected on them (similar to California’s state bill and to GDPR), along with notifying users about a data breach within 72 hours.

Sen. Rubio’s bill—the American Data Dissemination Act (ADD)—would require the FTC to write its own privacy recommendations for Congress to later approve. The ADD asks that the FTC’s  rules closely align with the Privacy Act of 1974, which restricts how federal agencies collect, store, and share Americans’ personal information. If passed, the FTC would have up to 27 months to get its own recommendations approved.

The ADD would also “preempt”—meaning, it would nullify—current and upcoming state data privacy laws. If passed, companies would only need to comply with the FTC’s federal rules that Congress would later approve. California and Vermont would wave goodbye to their newly-passed laws, and Utah, Washington, and New York would likely shut down their own efforts.

But preemption could be a deal-breaker for free speech advocates, digital rights groups, and government representatives.

“Under the Rubio bill, Americans would not have their privacy protected,” said Center for Digital Democracy Executive Director Jeff Chester, in speaking to Bloomberg. “State preemption is a non-starter as far as the consumer and privacy groups community and their allies in Congress are concerned.”

In California, the state’s attorney general also pushed back.

“For those of you following debate over data #privacy, note: We oppose any attempt to pre-empt #California’s privacy laws…” wrote Sarah Lovenheim, communications advisor to California Attorney General Xavier Becerra.

The opposition to Sen. Rubio’s bill is compounded by its slow timeline, making it impossible for lawmakers to know what specific rules they could be asked to approve in two years’ time.

The ADD demands Congress make an unknown, gameshow-style choice: Keep the data privacy protections you have, or choose what’s behind Door Number Two?

Sen. Wyden’s bill—the Consumer Data Protection Act—sets itself apart as the only bill that includes jail time consequences.

Sen. Wyden’s bill would require data-collecting companies to deliver annual reports that detail their internal privacy-protecting efforts. Those reports would need to be signed and confirmed by a high-level company executive, like a CEO or CTO. But if those executives confirm a false report, they could face jail time, the bill proposes.

The Consumer Data Protection Act would also require the FTC to set up a “Do Not Track” website where Americans could register to opt out of online tracking and third-party data sharing. Companies that fail to comply with consumers’ wishes would face fines.

This “Do Not Track” proposal is far from perfect. If a company’s requirement to get user consent clashes with that user’s Do Not Track preferences, the bill proposes a harmful compromise: Put the services behind a price tag. Paying for privacy is wrong, and, even if the bill passes, companies should refuse to engage in such a dangerous practice.

Finally, there is Sen. Schatz’s Data Care Act, which relies on a novel interpretation of corporate responsibility. The bill equates the responsibility that doctors have to their patients’ information as the same responsibility that technology companies should have to user data.

“Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same,” Sen. Schatz said in a press release.

The bill creates rules under five broad umbrellas—the “duty to care,” the “duty of loyalty,” the “duty of confidentiality,” federal and state enforcement, and rulemaking authority by the FTC to enforce the bill.

Fifteen Senators from both parties have signed on as co-sponsors, including Sen. Klobuchar. (Sens. Rubio and Wyden have not.) Several civil rights organizations, including Free Press, EFF, and CDT, have voiced support.

“We commend Senator Schatz for tackling the difficult task of drafting privacy legislation that focuses on routine data processing practices instead of consumer data self-management,” said CDT’s Richardson in a press release.

Here, Richardson is talking about something that she and the policy team at CDT find particularly important: consent. Many of today’s data privacy bills lean heavily on the idea that clearer terms of service and more notifications and more annual reports will somehow empower consumers to make the right choices for themselves when consenting to use online platforms.

But that’s unfair, Richardson said.

“[CDT’s] biggest concern is that a lot of these proposals are a notice-and-consent model. They look at these agreements we sign and say, ‘Maybe make them clearer,’ for example,” Richardson said. “That’s doubling down on our existing system, where it’s up to individuals to micromanage their relationships with hundreds, if not thousands of companies that touch their data every day.”

So, CDT—which routinely discusses already-authored legislation with Congressmembers—took a different approach. The organization wrote its own bill.

The bill’s rules are not built on consent. Instead, CDT’s bill focuses, Richardson said, on “what are the things you can’t sign away? What are your digital civil rights?”

CDT’s bill would give US persons—including residents—the rights to access, correct, and delete data that is collected on them, along with the right to take their personal data and move it somewhere else (which is similar to a right granted in the European Union’s GDPR). The bill would also require the FTC to investigate and write rules barring discriminatory practices in online advertising.

Companies affected by CDT’s bill would be given 30 days to put into place mechanisms for users to exercise their above rights. Also, if those companies license or sell personal information to third parties, they would need to assure that their third-party partners are practicing the same privacy commitments as the companies themselves.

Similar to Sen. Rubio’s bill, CDT’s bill would pre-empt state laws, but only those that focus on data privacy. Laws that deal with, say, consumer protection or data breaches, would remain intact.

As to which federal bill will prevail—it’s a bit of a tossup. Passing a bill into law is never as easy as getting the best idea forward. Big Tech is sure to lobby against any bill that would cut into its business model, and civil liberties groups could, depending on the legislation, disagree with one another about the best path forward.

Until then, CDT thinks it is taking the right approach, removing the burden from users and instead protecting what their rights should look like in the future.

Richardson put it plainly: “This is a moment about having corporations treat us better.”

In our next blog in the series, we will look at data privacy compliance for businesses seeking to expand outside the US market.