Here at Anonyome, we stay abreast of current thinking and conversation around privacy and identity management, from technology innovations to regulatory changes.
Today, we’re looking at the long-running issue of a potential US federal data privacy law because there’s been some significant movement.
You can catch up on the story here and here. You might also like The US Data Privacy Law “Floor”: What Deserves Basic Protections?
The latest news on this simmering topic is that the draft American Privacy Rights Act was introduced on April 7, 2024. It’s a bipartisan US federal data protection law drafted by Congresswoman Cathy McMorris Rodgers (R-WA 5th District) and Senator Maria Cantwell (D-WA) that aims to give US citizens greater control over their personal data, limiting the ability of big tech firms to process, transfer and sell the information.
The draft American Privacy Rights Act also mandates that companies must meet stronger cybersecurity standards to protect the personal data they hold from being hacked or stolen and gives enforcement powers for violations to the Federal Trade Commission (FTC), states and individuals.
Three of the draft bill’s key provisions are:
- Limiting the data that companies can collect, keep, and use about people to what those companies actually need in order to provide them with products and services
- Boosting powers for citizens to control how companies use their personal data, such as preventing companies from transferring or selling their data, and opting out of data processing if a company changes its privacy policy
- Requiring companies to obtain express consent before transferring sensitive data to a third party.
In releasing the draft bill, Congresswoman Rodgers said: “This landmark legislation gives Americans the right to control where their information goes and who can sell it. It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent. Americans overwhelmingly want these rights, and they are looking to us, their elected representatives, to act.”
Rodgers and Cantwell argue that “… their draft legislation represents the best opportunity in decades to establish a national data privacy and security standard in the US.” It’s intended to enhance the patchwork of legislation that’s been knitted together at the state level in the US for several years, which will make data privacy protections more consistent for US citizens nationally and reduce the compliance burden on businesses.
Importantly, the draft American Privacy Rights Act is based on similar principles to the EU’s General Data Protection Regulation (GDPR). The US is one of the only major global economies without strong national privacy laws akin to the GDPR.
While there’s optimism for this bill, we’ve been at this point a few times with US national privacy legislation, most recently in 2022. And some question whether it goes far enough. The Electronic Frontier Foundation (EFF) isn’t impressed, saying Americans deserve more than the current bill. Their position is that “a new federal bill would freeze consumer data privacy protections in place, by pre-empting existing state laws and preventing states from creating stronger protections in the future. Federal law should be the floor on which states can build, not a ceiling.”
The EFF also wants portions of the bill strengthened:
- Making it easier to sue companies that violate consumer rights
- Limiting sharing with the government
- Expanding the definition of sensitive data
- Narrowing exceptions that allow companies to exploit consumer biometric information, so-called “de-identified” data, and data obtained in corporate “loyalty” schemes.
Read the EFF’s position here.
At Anonyome, we see the introduction of this bill as yet another moment on the long road to a federal data privacy law where we hope lawmakers don’t allow their desire for the perfect (and un-passable) law to get in the way of passing a good law that raises the bar for the approximately 30 US states and territories yet to pass privacy legislation. And we’ll watch closely when the lobbyists get to it: we expect more carve-outs, US state pre-emption concerns, and questions over whether it will get passed before November.
As always, watch this space.
