The Senate this week held a hearing examining the first comprehensive privacy proposals to come from the leaders of the Senate Committee on Commerce, Science, and Transportation. The bills are likely to set the tone for much-anticipated final legislation safeguarding our privacy rights online.
Neither bill is perfect. But the Consumer Privacy Online Rights Act — introduced by Sen. Maria Cantwell, D-Wash. — offers a strong first step. The bill from Sen. Roger Wicker, R-Miss., the U.S. Consumer Data Privacy Act of 2019, has several glaring deficiencies and should not move forward without significant improvement.
Here’s how the two bills stack up on key issues:
Preserving State-Level Privacy Protections
Sen. Cantwell’s bill preserves the rights of states to pass stronger privacy laws. States have often led the work to protect consumer privacy. While Congress has yet to act, California has passed comprehensive privacy legislation, Illinois has taken steps to safeguard our face and other biometric information, and Maine has limited how internet service providers can collect and use our information. Recognizing the important role states play in protecting our privacy, Sen. Cantwell’s bill makes clear that federal privacy legislation must serve as a floor — not a ceiling — leaving states free to pass laws that provide stronger protections.
By contrast, Sen. Wicker’s draft legislation would completely gut existing state privacy laws and prevent states from passing stronger laws in the future. Companies could use the legislation — if it were to become law — in efforts to gut existing state privacy laws, like the California law, and stop states from putting in place more stringent privacy protections. This would negatively impact states’ ability to protect the privacy rights of their residents.
Strong Enforcement Mechanisms
As recent settlements with the Federal Trade Commission have demonstrated, federal fines for privacy-violating companies are often simply viewed as the cost of doing business, not a call to change harmful practices. To make privacy protections meaningful, consumers should be able to sue those companies for damages, and the FTC should have the authority to levy civil penalties and to set strong privacy rules.
Sen. Cantwell’s bill offers a strong approach. In addition to beefing up the authorities and resources of the Federal Trade Commission, the bill allows private citizens to sue companies who violate their privacy rights. Recognizing the difficulty in quantifying the cost of a privacy harm, the bill specifies the damages available to individuals per violation, and allows for the award of punitive damages, as appropriate.
Sen. Wicker’s bill provides no such right. Instead, the bill leaves enforcement entirely to state attorneys general and the FTC, though the latter has increased authorities. This is simply not enough and is likely to lead to significantly weak enforcement, stranding people who have been harmed with no recourse.
Preventing Online Discrimination
It’s imperative that Congress act to stop discrimination from taking on new life in the 21st century. To that end, Sen. Cantwell’s bill includes provisions that would prohibit the use of data to discriminate in housing, employment, credit, education, or public accommodations, and permits the FTC to enforce the prohibition. In addition, the bill would require data operators to conduct impact assessments to measure potential discrimination stemming from their use of an algorithm. As the bill advances, these provisions should be improved to provide other agencies, like the Consumer Financial Protection Bureau and Department of Housing and Urban Development, the ability to monitor and take enforcement action against companies that violate these provisions.
Sen. Wicker’s bill positively acknowledges that companies’ use of data to discriminate in ways that violate existing anti-discrimination laws is a problem that needs to be addressed. It requires some operators to conduct impact assessments and stipulates that the FTC may refer cases of discrimination to the appropriate state and federal agencies, an authority that the FTC already has in many contexts. This, falls far short of what is needed to prevent discrimination in the online ecosystem and is inferior to the approach in Sen. Cantwell’s bill.
Clear and Strong Data Usage Rules
Consumers should have control over their data. To that end, both bills prohibit companies from sharing data without an explicit opt-in for sensitive data, or opt-out for other types of data. Both also give consumers the right to access, correct, and request the deletion of their information. Sen. Cantwell’s bill would even prohibit companies from denying services or charging someone more if they choose to exercise their privacy rights.
The two bills, however, make an artificial distinction between sensitive and non-sensitive data, with the former afforded greater privacy protections. Personal data is personal, which means the value ascribed to certain data varies by individual. For one person, information about their race may be deeply sensitive. For another, this information may already be widely available, yet information about their reading or buying habits may be more personally revealing. Privacy legislation should afford a high level of protection to all information without distinction.
We encourage members of Congress to continue working together to enact legislation that protects our data, preserves state laws that provide greater protections, and gives people the ability to enforce their privacy rights. Consumers are counting on it to take action to protect their data.
Neema Singh Guliani, ACLU Senior Legislative Counsel
& Kate Ruane, Senior Legislative Counsel, ACLU