After a long hiatus, the bipartisan data privacy bill returns to Congress
A nascent bipartisan movement towards the establishment of a federal data privacy bill began to take shape about two years ago, but ended up being put on hold due to the combination of the coronavirus pandemic and a particularly controversial election year. As the effects of those two things wore off, Congress began to pick up on the topic.
A 2018 bill introduced by Republican-supported Senator Amy Klobuchar (D-MN) has been referred to the Senate, and her chances of moving forward may have improved as congressional control went to the Democrats. One of the strengths of the bill is the requirement that technology platforms allow users to opt out of data collection and tracking, but it would also allow them to deny service to those users.
The data privacy bill contains a set of terms
The Social Media Privacy Protection and Consumer Rights Act is sponsored by Klobuchar and Joe Manchin (D-WV) and has bipartisan support from John Kennedy (R-LA) and Richard Burr (R-NC). However, the data privacy bill stalled in 2019 in part because it failed to attract significant additional Republican support. There is no strong indication that the political right will be interested in it this time around, but that may now be irrelevant as Democrats have a one-and-a-half-year window to pass it while still having a secure grip. on the House. and Senate.
One of the key terms of the data protection bill is that the platforms write their terms of service in “easily accessible language” that can be easily understood by the average person. End users should also be able to opt out of data collection and tracking; however, the platforms would in turn be allowed to deny service to users who opt out. The bill allows providers to ban both “certain services” or “full access” in cases where the withdrawal creates “inoperability” of the platform.
The data protection bill would, however, provide enhanced rights and protections to those who choose to participate. The bill requires users to be notified of a data breach within 72 hours, and the breach notification must be accompanied by a full copy of the data the service has collected as well as links to request removal of the data. data. The bill also requires services to delete data collected from closed accounts within 30 days, unless they are required to keep it for some legal reason.
Platforms would also be required to maintain a “privacy or security program,” something oddly worded, as responsible platforms would be expected to have both of these. But the data privacy bill specifies that the program should detail how the platform uses the personal data collected, how it addresses the expected security risks created by the introduction of new products or services, and detail the access of internal employees and subcontractors to the personal data collected. . Users should also be notified when new products are introduced to the platform and have the choice to deactivate them. These programs should be audited at least once every two years.
Enforcement of the law would be entrusted to the Federal Trade Commission (FTC), using existing laws on “unfair or deceptive acts or practices”. Non-profit organizations would also be subject to the conditions of the new draft data protection law. And state residents could seek restitution through a civil action brought by the state attorney general. The bill would also not replace existing state data protection laws.
Consumer protection may be limited
The data protection bill doesn’t go as far as something like the EU’s General Data Protection Regulation (GDPR) in terms of consumer protection, and some privacy advocates point out that a withdrawal-driven system can be untenable. The bill appears to focus on services in which a user is logged into an account, but technology platforms also provide services that collect protected data without requiring a login. The Google search bar and YouTube are two main examples, and Facebook is able to create profiles on anyone who visits a freelance website that integrates its plugins.
The “opt-out” approach is the opposite of the direction Apple has taken with its recent privacy changes introduced in iOS 14.5. Apple’s acceptance system requires that end-users be notified of data collection for personalized ad tracking when they download an app, and be asked to accept it. The app developer is not allowed to restrict or deny service to users who choose outside. Customers who rely on an “opt-out” system must first transmit their personal data to the platform and then be confident that it will be processed and deleted in an appropriate and timely manner.
One of the strengths of the #privacy bill is the requirement that technology platforms allow users to opt out of #datacollection and tracking, but it would also allow them to deny service to those users. #respectdata
While the data protection bill falls far short of solving all of the issues on the table, OneLogin’s identity management expert Alexa Slinger notes that the data breach requirements would significantly improve at least one area of Major harm to consumers: “According to an Audit Analytics report, Trends in Cybersecurity Breach Disclosures, it takes an average of 108 days for companies to discover a violation, and an additional 49 days to disclose the violation to consumers. This puts buyers unknowingly at risk of further exploiting their data, and businesses face damaging costs and penalties for their business. It is in the interests of both the consumer and the business to implement standards, processes and systems to prevent breaches and protect valuable user data. “