Last year, Representative Suzan DelBene (D-WA) introduced a privacy bill, the Information Transparency & Personal Data Control Act (Data Control Act). Public Knowledge provided input to Rep. DelBene’s office on the development of its discussion draft. However, we were disappointed to see that, upon introduction, the substance of the bill had been watered down from the discussion draft. In response, we published a blog post in which we expressed our frustration with the weakened final bill and outlined our concerns. Rep. DelBene re-introduced the bill with some important additions this Congress, and it has recently gained some traction. Public Knowledge still does not support the bill as written.
We are glad to see members remain active on privacy issues by introducing targeted bills that add to the federal privacy conversation and debate. What is ultimately needed, however, is for Congress to pass a comprehensive federal privacy law to best protect consumer and user privacy. That said, the Data Control Act contains provisions that are worth applauding and incorporating into more comprehensive legislation.
First, the bill articulates what meaningful user notice can look like to increase transparency in a confusing data sharing ecosystem. Second, a key addition to the 116th Congress version of the bill is that it bolsters the Federal Trade Commission’s resources with $35 million in appropriations and a requirement on the Commission to hire more employees, including technologists, to focus on privacy and data security issues. Third, we applaud the bill for giving the Commission authority to levy civil penalties on first time violators of the law. Strengthening the FTC’s enforcement authority is an important part of a privacy bill to remedy privacy violations and deter violators from engaging in misconduct in the first instance. We support efforts here, and in other bills like Senator Ron Wyden’s “Mind Your Own Business” Act, granting strong civil penalty authority to the Commission.
But what the narrow Data Control Act fails to include is material and significant, meaning the bill as standalone legislation would fail to effectively safeguard consumer privacy. For guidance on what a comprehensive privacy bill should include, 34 consumer and privacy advocacy organizations in the public interest community have published principles and priorities for federal privacy legislation.
The current U.S. data privacy regime is mainly premised on voluntary industry self-regulation, and this model has failed consumers. Moreover, current enforcement mechanisms have failed to hold companies accountable or to provide meaningful relief to consumers for privacy violations. In order for privacy protections to be meaningful, they must protect civil rights and prevent unlawful discrimination. They should enable individuals and governments at all levels to enforce privacy rights and provide for meaningful redress if privacy rights are violated. Strong federal privacy legislation would ensure that these principles are codified into law. The Data Control Act does not include certain protections that are critical to ensuring meaningful privacy protection.
Increased Agency Authority
Additional staffing and funding for the FTC is important, but the agency must also be empowered with broad authority and regulatory flexibility. The Data Control Act gives the FTC narrow rulemaking authority under the Administrative Procedure Act (APA) to promulgate rules related to the bill’s notice and consent provisions. However, at a time when technology is outpacing our laws, the FTC will need broader APA rulemaking authority to ensure regulatory flexibility as it relates to numerous other issues, including data portability requirements and regulations governing reasonable security requirements on covered entities.
Private Right of Action and No Preemption of State Law
Enforcement authority cannot stop at the federal level. Comprehensive federal privacy legislation should empower state attorneys general to bring claims. The Data Control Act gives state AGs this ability, but they can only obtain “appropriate injunctive relief” instead of the full range of legal remedies, including money damages.
Privacy legislation should also provide a private right of action (along with a ban on forced arbitration) so that individuals may have their day in court when their right to privacy is violated. Such a private right is absent from the Data Control Act. Even if the FTC has more enforcement authority, it will not have the bandwidth to enforce every privacy violation that harms consumers and users. State AGs can fill some of this enforcement gap by going after smaller or more local actors. Individuals provide a final layer of enforcement to ensure that violations and harms don’t fall through the cracks or go unremedied merely because state and federal enforcement agencies are budget or bandwidth constrained. Private rights of action are particularly important for marginalized communities that have not been able to rely on the government to adequately enforce their rights. A robust enforcement regime is critical to deter bad behavior and strengthen consumer protection.
Moreover, federal privacy legislation should not preempt states or localities from passing laws that establish stronger protections to protect users and especially vulnerable populations. In other words, the federal legislation should be a “floor” and not a “ceiling” when it comes to protecting American consumers. It is entirely appropriate and consistent with state consumer protection practices for states and localities to adopt stronger privacy protections, in addition to what is established as a federal baseline. As written, the Data Control Act preempts any civil provision of the law of any state to the extent that the law is “focused on the reduction of privacy risk” through regulation of sensitive data processing.
Civil Rights Protections
While civil rights law has promoted equal opportunity in brick-and-mortar commerce, modern privacy legislation must protect equal opportunity in online commerce as well. Legislation must ensure that regulators can prevent or stop harmful action, require algorithmic accountability, and prevent data processing that unfairly discriminates against marginalized communities. Without civil rights protections online, for example, companies can use personal information to engage in unfair discrimination like digital redlining and predatory marketing in employment, housing, credit, education, and insurance opportunities.
Legislation should mandate that covered entities limit the collection, use, and retention of users’ personal data to only what is necessary to provide the product or service, with limited exceptions for fraud prevention, security, or compliance with other laws. Decreasing the amount of personal data a company can store would minimize the amount of personal data that will inevitably be leaked when the next data breach occurs.
User privacy is at risk in the absence of strong data security protections. Comprehensive federal privacy legislation must require covered entities to implement a reasonable data security program that is consistent with industry best practices, including physical, administrative, and technical safeguards to protect the confidentiality, integrity, and availability of data. Such a requirement is best handled through regulations to ensure that the rules are relevant to a covered entity’s business model and resources and do not present an undue compliance burden.
Data Portability and Interoperability
In today’s digital economy, a small group of tech giants have gained unprecedented scale and enormous market power. As a result, there are bigger barriers that potential competitors face in order to get into these markets. To lessen this barrier, federal privacy legislation should have standards for data porting, which would require platforms to allow users to move their information from one platform to another. For example, if a user has a Facebook account, data portability would allow a user to take the information from Facebook to a different or new social media platform. If users have the ability to port their information, the threat of losing consumers to a competitor may encourage platforms to be more thoughtful about their collection and use of personal data.
Relatedly, regulators should have authority to mandate interoperability requirements on dominant platforms so that competitors can offer customers access to dominant networks. In other words, to stick with our Facebook user, the ability to port one’s information is not useful unless the two platforms are compatible and can understand each other and the information that is sent over. Data portability and interoperability are complex concepts and show the importance of having an expert agency to create regulations with more detailed standards and definitions. We expect that a foundation of strong privacy and security protections paired with data portability and interoperability requirements will improve competition, thus lessening the concentration of user data held by a small handful of giant tech platforms as well as creating incentives for companies to compete for users by handling user data more responsibly.
Rep. DelBene’s bill permits any data processing, storage, and collection of sensitive personal information as long as it is “consistent with a controller’s relationship with users as understood by the reasonable user.” But it is unclear what that means. For example, platforms can argue that “reasonable users” understand that in order for consumers to use their service, the platform shows users targeted ads, and in order to have better targeted ads the company needs to collect as much personal data as it can. As written, the Data Control Act leaves too much discretion to the platforms themselves to define “reasonable.”
In general, any comprehensive bill must avoid loopholes that allow for companies to get around their privacy obligations, such as by including language that allows companies to contract out of their obligations through terms of service agreements. The best way to avoid such loopholes is to have affirmative bans on these types of activities. For example, Senator Markey’s Privacy Bill of Rights Act explicitly prohibits any rights and remedies under the bill to be “waived or limited by contract or otherwise.”
While we support certain aspects of the bill, we believe the Data Control Act should be read as a targeted privacy bill that attempts to move the conversation forward on federal privacy legislation. As such, it should not be mistaken to be a model for comprehensive privacy legislation. However, as highlighted above, Rep. DelBene’s bill includes several components that merit inclusion in a strong, comprehensive bill. We encourage Congress to keep working together to create strong federal privacy legislation that ensures meaningful privacy for consumers.
Image credit: Alpha Stock Images