Senate Democrats introduced sweeping data privacy protections Tuesday in an effort led by Sen. Maria Cantwell (D-Wash.) to federally regulate tech company business practices.
The bill would establish new privacy rights for all Americans while still allowing states to pass their own regulations. It’s an ambitious proposal likely to face an uphill battle with Republican opposition, a Congress distracted by the impeachment inquiry, and an upcoming election year.
Still, the bill represents a significant step forward in the effort to enact federal privacy protections and reveals the position Democrats will take as they begin negotiations. Lawmakers have been in touch-and-go discussions on federal privacy legislation for nearly two years in the wake of Facebook’s Cambridge Analytica scandal and a series of smaller incidents that exposed the power Big Tech wields.
“We need to create a culture in which everybody within these organizations understands that consumers deserve to have privacy rights, they need to be protected from harmful and deceptive practices and there will be a consequence if they break those laws,” Cantwell said Tuesday in an interview with GeekWire.
The Consumer Online Privacy Rights Act establishes these rights and regulations:
- Grants consumers the right to ask what data is collected about them, who that information is shared with, and the reason for sharing it
- Grants consumers the right to control the movement of their data, including the ability to delete or correct it
- Grants consumers “the right to be free from deceptive and harmful data practices”
- Requires companies to get consent before collecting users’ sensitive information, including biometric and location data
- Beefs up the FTC’s enforcement abilities
- Gives individuals the right to sue tech companies if their privacy is violated
The individual right to sue, also known as the private right of action, is likely to be a sticking point for big tech companies. It opens the door for thousands of lawsuits from individual consumers, rather than only allowing regulators to bring cases.
Cantwell, a former RealNetworks exec, said that the private right of action “would help create better awareness about the rules on the books.”
Once staunchly resistant to regulation, big tech companies have come around to the idea of a federal privacy bill in recent months. But one of their key motivations is establishing federal standards to avoid having to comply with a patchwork of state laws. Cantwell’s bill doesn’t accomplish that outcome because it allows states to continue passing their own privacy regulations.
“This is going to continue to evolve and we want to hear what states have to say about that,” Cantwell said. “As we talk about a larger federal bill, there’s a lot of push in Washington, by some, to have just a federal statute, but that’s a discussion point that’s going to happen over the next several weeks.”
California became the first state in the nation to establish data privacy laws through the California Consumer Privacy Act. California passed the law last year and it takes effect in January 2020. The federal bill introduced Tuesday shares basic principles and rights with CCPA.
Democrats in Cantwell’s home state, Washington, want to follow California’s lead. They tried unsuccessfully to pass data privacy regulations last session and plan to revive the bill next year. Those efforts would not be preempted by the federal bill in its current form.
As U.S. efforts to regulate data privacy have stalled, Europe has sped ahead. The European Union became the global leader in online privacy regulation in 2018 when it adopted GDPR, the General Data Protection Regulation. Since then, Europe has had some of the world’s strongest data privacy rules.
As the top Democrat on the Senate Commerce Committee, Cantwell has taken a keen interest in technology issues, advocating for net neutrality and other consumer protections. Senators Brian Schatz, Amy Klobuchar, and Ed Markey introduced the privacy bill with Cantwell.
“This legislation represents a sea change, particularly in the way federal law thinks about privacy harm,” said University of Washington law professor Ryan Calo in a statement. “As the bill makes abundantly clear, violating the privacy rights and expectations of consumers is harmful in and of itself, a harm that must be redressed by regulators and courts.”
Calo advised Cantwell’s team during the policymaking process.
It’s no accident that Senate Democrats introduced their data privacy bill during the biggest shopping week of the year. In their press release, they cited a Deloitte study that predicts consumers will spend 59 percent of their holiday shopping budget online. E-commerce retailers like Seattle-based Amazon are preparing for record sales and narrowing shipping times to entice more customers. U.S. e-commerce sales are expected to reach $143.7 billion this holiday season, up 14 percent year-over-year, according to Adobe Analytics.
“Here’s this shopping season, where now 59 percent of all purchases are going to be made online,” Cantwell said. “Our world is moving more and more and more to this online arena … we think this framework fits for that era and can grow with the challenges that we see down the road.
The Senate Commerce Committee will discuss the new privacy bill at a Dec. 4 hearing with representatives from Microsoft, Walmart, scholars, and consumer rights groups. It’s the first step on a long journey but Cantwell hopes it “will lead to more serious discussions about getting this implemented.”