Congress may upend how online privacy works
The bill would ensure a uniform national standard for data privacy — preferable to a patchwork of conflicting, confusing state laws.
Congress has failed to pass a federal online privacy bill time and time again, despite widespread agreement that the rules governing Americans’ data are outdated and inadequate. Yet, at the risk of seeming Pollyannaish, this time could be different.
One good sign is that a new bill, the American Privacy Rights Act, drafted by Rep. Cathy McMorris Rodgers (R-Wash.) and Sen. Maria Cantwell (D-Wash.), is bipartisan. Another is that it includes compromises on the two issues that have divided legislators. Now that two key lawmakers, each chairing her chamber’s committee on commerce, have hashed out their differences on these subjects, the rest should be easy. That is, if Congress doesn’t get in its own way.
At the heart of Cantwell and McMorris Rodgers’ proposal is a long-awaited paradigm shift in modern-day privacy policy. Today, Americans trying to navigate online life must confront impenetrable terms of service that, in the end, often allow companies to do whatever they want with the data they collect from people using their services. This bill would place obligations on companies, limiting what they collect to what’s reasonable and necessary for the services they’re providing, rather than leaving it to users to figure out what information they are giving up, whether they are comfortable with that data collection and whether they can do without the service they are trying to access.
Two major compromises on heretofore unresolvable issues seem to have removed the biggest stumbling blocks. On the question of whether individuals may sue violating companies, the bill would impose no waiting period before citizens could bring cases, as had been previously proposed. But firms would have a chance to redress violations before they could be punished for them.
Some GOP senators might balk at any individual right to sue. Sen. Ted Cruz (Tex.) already has — complaining also about the possibility of the Federal Trade Commission becoming “referees of internet speech and DEI compliance.” (This is presumably in reference to the bill’s prohibition on using personal data to discriminate on the basis of race, sex and other protected characteristics.) But other Republicans seem likelier to stay at the table; after all, their concessions have led to a victory on the second major stumbling-block issue: whether a new federal privacy law would preempt state laws on the same subject.
The bill would ensure a uniform national standard for data privacy — preferable to a patchwork of conflicting, confusing state laws. Privacy advocates worried that robust state laws would be superseded by an anemic federal law. But the new proposal would be as tough as, if not tougher than, what states have mustered so far. Take Illinois’ statute safeguarding biometric and genetic information; the Cantwell-McMorris Rodgers bill takes special care to include similar provisions so that those crucial protections are preserved. Meanwhile, states’ “sectoral laws,” such as those that cover health care, student and employee privacy, and more, aren’t preempted at all.
There are flaws. Ample power would be delegated to the FTC, not only to enforce the law along with state attorneys general, but also to write more expansive rules and guidelines. Yet the FTC is understaffed and underfunded, so it would need extra support. The agency’s duties would include creating a registry of data brokers, with a “do not collect” mechanism consumers could use. That’s wise: Data brokers hoover up sensitive information from across the web and sell it to parties savory and unsavory alike, from loan sharks to foreign spies. But to have data already held by these shady operators deleted, consumers would have to visit every broker’s individual website. That’s a heavy enough lift that most won’t even try.
There’s plenty of room to address smaller issues such as these as the legislation, only a discussion draft, moves forward. More ambitious demands that the bill include heightened protections for children, however, ought to be left aside. Already, the Senate is well on its way to passing two separate measures on this subject: the Children’s Online Privacy Protection Rule and the Kids Online Safety Act. Those complex proposals deserve to be considered separately from the pending federal privacy bill. Tying them together could put both efforts at risk.
It has taken Congress too long to reach this point. Lawmakers shouldn’t waste their best chance yet to make Americans’ online lives safer and more secure.