Lawmakers reveal plan to expand online privacy rights
Key federal lawmakers Sunday unveiled a sweeping proposal that would for the first time give consumers broad rights to control how tech companies such as Google, Meta, and TikTok use their personal data, potentially a major breakthrough in the decades-long fight to adopt national online privacy protections.
The bipartisan agreement, struck by Senate Commerce Committee Chair Maria Cantwell, a Democrat, and House Energy and Commerce Committee Chair Cathy McMorris Rodgers, a Republican, marks a milestone in the congressional debate over data privacy. The issue has befuddled lawmakers despite near-universal agreement — in Silicon Valley and in Washington — on the need for federal standards to determine how much information companies can collect from consumers online.
The measure, a copy of which was reviewed by The Washington Post, would set a national baseline for how a broad swath of companies can collect, use, and transfer data on the internet. Dubbed the American Privacy Rights Act, it also would give users the right to opt out of certain data practices, including targeted advertising. And it would require companies to gather only as much information as they need to offer specific products to consumers, while giving people the ability to access and delete their data and transport it between digital services.
Significantly, the deal — which marks one of Washington’s most significant efforts to catch up to privacy protections adopted in Europe nearly a decade ago — would resolve two issues that have bogged down negotiations for years: whether a federal law should override related state laws and whether consumers should be permitted to sue companies that violate the rules.
On Sunday, key lawmakers and industry leaders praised the proposal’s release, even as some already floated potential changes. Representative Frank Pallone Jr. of New Jersey, the top Democrat on McMorris Rodgers’s committee, called it a “very strong discussion draft” but said there are “key areas” where it could be “strengthened,” including children’s privacy. Microsoft president Brad Smith, whose company hails from Washington state, called it a “good deal” that would “provide clarity by establishing a national standard” on privacy. Both Cantwell and McMorris Rodgers are from Washington.
The bill would achieve a Republican goal by preempting over a dozen “comprehensive” state privacy laws that have sprung up amid congressional inaction, including a watershed California measure, while allowing state rules on more-targeted issues like health or financial data to stand. Meanwhile, it would allow an enforcement method championed by Democrats: civil lawsuits that would let individuals seek financial damages if companies fail to fulfill data deletion requests or to obtain express consent before collecting sensitive data.
“We have to have a bright line here where we’re catching bad actors and policing the information age,” Cantwell said in an interview Sunday.
News outlets reported Friday on the expected deal, but details of the proposal did not become public until Sunday. Later that day, the committees released two versions of the draft legislation.
In an interview Sunday with the Spokesman-Review of Spokane, Wash., McMorris Rodgers called it “a historic piece of legislation” that would “establish privacy protections that are stronger than any state law on the books.”