Should the Federal Trade Commission Help Congress Craft a National Data Privacy Law? (S. 142)
Do you support or oppose this bill?
What is S. 142?
(Updated May 20, 2019)
This bill — the American Data Dissemination (ADD) Act — would create a national consumer data privacy law that protects both consumers and the internet economy. It’d update the Privacy Act of 1974 to account for modern technology and creates clear protections that consumers can understand and would direct the Federal Trade Commission (FTC) to develop and enforce the updated law.
Within 180 days after this bill’s enactment, the FTC would be required to submit detailed recommendations for privacy requirements for Congress to impose on covered providers. These requirements would be substantially similar to the requirements applicable to agencies under the Privacy Act of 1974.
No earlier than a year after the submission of the FTC’s recommendations (18 months after this bill’s enactment), the FTC would publish and submit to the appropriate congressional committees proposed regulations to impose privacy requirements on covered providers that are substantially similar to the requirements applicable to agencies under the Privacy Act of 1974.
Finally, to ensure that Congress acts in a timely manner, if Congress fails to enact a law based on the FTC’s recommendations by two years after this bill’s enactment, the FTC would be directed to promulgate a final rule to impose privacy requirements based on the narrow, Congressionally-mandated course of action created in this bill. This FTC rule would be finalized no later than 27 months after this bill’s enactment.
The FTC would be required to establish criteria for exempting small, newly formed providers from the requirements under the regulations. These criteria would take into account: how long the provider’s been operating, the provider’s annual revenue, and the number of individuals about whom the provider collects records.
This bill would also provides consumers with rights to access, correct, and delete records maintained by a covered provider that are inaccurate, irrelevant, untimely, or incomplete as defined by the FTC.
This bill would supersede any state laws that pertain to the same consumer data that it governs. Covered consumer data would include names, Social Security Numbers, other government ID numbers, financial transactions, medical histories, criminal histories, employment histories, user-generated content, unique biometric data (e.g., fingerprint, voice print, retina or iris image, or other unique physical representations), and other personal data collected by companies.
“Covered providers” would be defined as entities that provide services that use the internet and collect records.
Argument in favor
Consumers’ data is immeasurably valuable to companies in the digital economy. Thus, it’s necessary to protect their information from bad actors and companies collecting and selling their information without their permission. This bill is a first step towards creating those protections.
Argument opposed
This bill overrides states’ abilities to create their own more stringent consumer data protection laws and has a long timeframe for the enactment of the actual law. Additionally, it’s not clear that the FTC is equipped to determine the right consumer data protection framework.
Impact
Consumers; consumer data; Silicon Valley; tech companies; the FTC; and Congress.
Cost of S. 142
A CBO cost estimate is unavailable.
Additional Info
In-Depth: Sen. Marco Rubio (R-FL) introduced this bill to protect consumers’ data while also protecting innovation in the digital economy:
“There has been a growing consensus that Congress must take action to address consumer data privacy. However, I believe that any efforts to address consumer privacy must also balance the need to protect the innovative capabilities of the digital economy that have enabled new entrants and small businesses to succeed in the marketplace. That is why I am introducing the American Data Dissemination Act, which will protect small businesses and startups while ensuring that consumers are provided with overdue rights and protections. It is critical that we do not create a regulatory environment that entrenches big tech corporations. Congress must act, but it is even more important that Congress act responsibly to create a transparent, digital environment that maximizes consumer welfare over corporate welfare.”
In an op-ed in The Hill, Sen. Rubio argues that it’s time for Congress to address consumer data privacy:
“The current structure of most privacy policies that users blindly accept protect tech providers instead of user privacy and data. This is unacceptable, which is why I am introducing the American Data Dissemination (ADD) Act… It is important Congress legislate the new rules of the road, but we should use the non-partisan expertise from the agency of jurisdiction to ensure lawmakers make informed decisions to properly protect consumers… However, my bill also takes important precautions to ensure it does not entrench large, incumbent corporations. Facebook, Apple, Amazon, Netflix, Google (FAANG) and others would welcome cumbersome regulations that prevent start-ups and smaller competitors from challenging the FAANG’s current dominance. We should be cautious in balancing the legitimate privacy needs of individuals with the important contributions the Internet has made to increase our societal knowledge sharing capabilities. While we may have disagreements on the best path forward, no one believes a privacy law that only bolsters the largest companies with the resources to comply and stifles our start-up marketplace is the right approach.”
In an article in Time magazine, Apple CEO Tim Cook called for federal online privacy rules. Cook also called for the FTC to create a “data-broker clearinghouse” for all data brokers to register, allowing consumers to track what information of theirs is collected and sold:
“In 2019, it’s time to stand up for the right to privacy—yours, mine, all of ours. Consumers shouldn’t have to tolerate another year of companies irresponsibly amassing huge user profiles, data breaches that seem out of control and the vanishing ability to control our own digital lives.”
American Action Forum’s Will Rinehart predicts that this bill will face opposition from Democrats and advocates:
“The bill will likely face opposition from Democrats and advocates, since it would create an expansive privacy regime, supersede state laws, and grant the FTC wide latitude in creating new privacy rules… [It] also faces an uphill battle in Congress. Privacy-regulation advocates and Democratic leadership have fought federal preemption, as a federal law would supersede more restrictive state efforts such as the recently passed California Consumer Privacy Act. Furthermore, since data privacy is one of the few issues where there is some bipartisan agreement, it is difficult to imagine that congressional leaders would choose to hand over their authority to a federal agency. The ADD Act of 2019 might be the first of its kind out of the gate, but it likely won’t be the final form of a federal privacy law.”
California Attorney General Xavier Becerra is opposed to this bill, as his state has already imposed its own privacy law that gives consumers more control over how their personal data is collected, used and sold by corporations — and this bill would supersede that law. AG Becerra’s communications advisor, Sarah Lovenheim, wrote on Twitter, “We oppose any attempt to preempt California’s privacy laws.”
The National Consumers League and consumer advocacy group Public Knowledge oppose this bill. Public Knowledge contends that it’s a “step backwards” that wouldn’t do much to protect Americans’ data privacy. Gus Rossi, Global Policy Director at Public Knowledge, says:
“Sen. Rubio’s severely limited bill is better suited to Americans living in 1974 than today. In the post-Equifax era, Americans face a constant stream of data breaches and scandals that clearly demonstrate a need for real protections, not mere lip service.This bill does not adequately protect Americans’ data or give consumers the control they want and need to protect themselves online. We cannot support this bill. The 1974 Privacy Act is fundamentally a transparency and data accuracy law, designed well before the popularization of the internet and cloud computing. Adapting the 1974 Privacy Act to the private sector would do nothing for Americans fighting to control their personal information in the modern world. In 2019, Sen. Rubio’s proposal is ‘too little, 45 years too late,’ and at a disproportionately high cost: preempting meaningful state innovation in privacy protection. Additionally, in a best-case scenario, it would be years before this bill resulted in any remotely meaningful protection, leaving consumers vulnerable. And finally, it’s absurd that the bill would preempt state law and constrain the jurisdiction of specialized agencies like the FCC in exchange for very limited protections for consumers. Congress should legislate to solve today’s problems -- not cut the privacy debate short with a bill that represents an antiquated approach to consumer privacy.”
Susan Grant, director of consumer protection and privacy for the Consumer Federation of America, adds that rather than relying on Congress, an independent data protection agency should be established:
“[T]his bill fails to adequately address the modern ecosystem of data collection and use and would nullify stronger state laws. Furthermore, we need an independent data protection agency that can promulgate rules without having to submit them for Congressional approval.”
James Shreve, a partner at Thompson Coburn, observes that the issue of preemption over state laws — which tech companies would like to see in a federal data privacy law — may make this bill difficult to pass in the House. He explains, “I think it will be difficult to get a pre-emption bill through the House. The cost of doing so might be a more stringent federal requirement.”
In January 2017, a consumer advocacy coalition calling for a systematic overhaul of U.S. data privacy laws alleged that the FTC isn’t up to the job of protecting consumers’ data.
Of Note: Silicon Valley companies have been seeking federal privacy legislation since June 2018, when California passed the strictest data privacy law in the U.S. Big tech companies and internet services providers have said they want federal legislation that’d preempt California’s strict new rules. With the implementation of the EU’s General Data Protection Regulation (GDPR) in May 2019, the industry is already adjusting to tighter controls on its use of consumer data.
Some activists and Democratic lawmakers have signaled that they won’t support federal privacy legislation if it weakens state-level efforts like California’s. Sen. Brian Schatz (D-HI) says, “The Holy Grail is preemption” of state rules. He adds the Democrats wouldn’t replace a “progressive California law with a non-progressive federal law.”
After a series of data privacy scandals in 2018, lawmakers have become more vocal about their concerns on data privacy issues, including how Facebook and Google collect and use data for advertising and how companies protect sensitive information from being stolen. In January 2019, several lawmakers called on the FTC to consider investigating telecom giants after a report discovered companies, including AT&T and T-Mobile, had been selling user location data.
Media:
-
Sponsoring Sen. Marco Rubio (R-FL) Press Release
-
Sponsoring Sen. Marco Rubio (R-FL) One-Pager
-
Sponsoring Sen. Marco Rubio (R-FL) Op-Ed
-
Public Knowledge (Opposed)
-
National Consumers League (Opposed)
-
American Action Forum
-
Ars Technica
-
Broadcasting+Cable
-
Adweek
-
Axios
-
The Verge
Summary by Lorelei Yang
(Photo Credit: iStockphoto.com / ipopba)
The Latest
-
Protests Grow Nationwide as Students Demand Divestment From IsraelUpdated Apr. 23, 2024, 11:00 a.m. EST Protests are growing on college campuses across the country, inspired by the read more... Advocacy
-
IT: Here's how you can help fight for justice in the U.S., and... 📱 Are you concerned about your tech listening to you?Welcome to Thursday, April 18th, communities... Despite being deep into the 21st century, inequity and injustice burden the U.S. read more...
-
Restore Freedom and Fight for Justice With GravvyDespite being deep into the 21st century, inequity and injustice burden the U.S., manifesting itself in a multitude of ways. read more... Criminal Justice Reform
-
Myth or Reality: Is Our Tech Listening?What's the story? As technology has become more advanced, accessible, and personalized, many have noticed increasingly targeted read more... Artificial Intelligence