Released: November 21, 2019

Grading digital privacy proposals in Congress

Campaign for a Commercial-Free Childhood · Center for Digital Democracy · Color of Change

Consumer Federation of America · Consumer Action · Electronic Privacy Information Center

Parent Coalition for Student Privacy · Privacy Rights Clearinghouse · Public Citizen · U.S. PIRG

Contact: David Rosen, [email protected], (202) 588-7742; Susan Grant, [email protected], (202) 387-6121; Caitriona Fitzgerald, [email protected], (617) 945-8409; Katharina Kopp, [email protected], (202) 836-3621; Linda Sherry, [email protected], (202) 544-3088 

When it comes to digital privacy, we’re facing an unprecedented crisis. Tech giants are spying on our families and selling the most intimate details about our lives for profit. Bad actors, both foreign and domestic, are targeting personal data gathered by U.S. companies, including our bank details, email messages and Social Security numbers. Algorithms used to determine eligibility for jobs, housing, credit, insurance and other life necessities are having disparate, discriminatory impacts on disadvantaged groups. We need a new approach.

Consumer, privacy and civil rights groups are encouraged by some of the bills that recently have been introduced in Congress, many of which follow recommendations in the groups’ Framework for Comprehensive Privacy Protection and Digital Rights in the United States.

The framework calls for baseline federal privacy legislation that:

• Has a clear and comprehensive definition of personal data;
• Establishes an independent data protection agency;
• Establishes a private right of action allowing individuals to enforce their rights;
• Establishes individual rights to access, control and delete data;
• Puts meaningful privacy obligations on companies that collect personal data;
• Requires the establishment of algorithmic governance to advance fair and just data practices;
• Requires companies to minimize privacy risks and minimize data collection;
• Prohibits take-it-or-leave-it or pay-for-privacy terms;
• Limits government access to personal data; and
• Does not preempt stronger state laws.

Three bills attained the highest marks in the recent Privacy Legislation Scorecard compiled by the Electronic Privacy Information Center (EPIC):

1. The Online Privacy Act (H.R. 4978), introduced by U.S. Reps. Anna Eshoo (D-Calif.) and Zoe Lofgren (D-Calif.), takes a comprehensive approach and is the only bill that calls for a U.S. Data Protection Agency. The bill establishes meaningful rights for individuals and clear obligations for companies. It does not preempt state law, but it lacks explicit anti-preemption language, which would make it more effective.
2. The Mind Your Own Business Act (S. 2637), introduced by U.S. Sen. Ron Wyden (D-Ore.), requires companies to assess the impact of the automated systems they use to make decisions about consumers and how well their data protection mechanisms are working. It has explicit anti-preemption language and holds companies accountable when they fail to protect privacy. The private right of action should be broader, and the bill needs clear limits on data uses.
3. The Privacy Rights for All Act (S. 1214), introduced by U.S. Sen. Ed Markey (D-Mass.), has important provisions minimizing data collection and delinking user identities from collected data, and prohibits bias and discrimination in automated decision-making. It also includes a strong private right of action and bans forced arbitration for violations. It does not preempt state law, but it lacks explicit anti-preemption language, which would make it more effective.  

Two bills are plainly anti-privacy:

1. The Information Transparency & Personal Data Control Act (H.R. 2013), introduced by U.S. Rep. Suzan DelBene (D-Wash.), falls woefully short. It provides few protections for individuals, contains overly broad exemptions and preempts stronger state laws.
2. The Balancing the Rights of Web Surfers Equally and Responsibility (BROWSER) Act (S. 1116), introduced by U.S. Sen. Marsha Blackburn (R-Tenn.), is based on the old, ineffective take-it-or-leave-it terms of use model, does not allow agency rulemaking, is weak on enforcement and preempts state laws. Both are bad, anti-privacy bills.

Future federal privacy bills must make the grade. Additional privacy bills are expected to be introduced by U.S. Sen. Maria Cantwell (D-Wash.) and U.S. Rep. Jan Schakowsky (D-Ill.). Separately, U.S. Sens. Richard Blumenthal (D-Conn.), Roger Wicker (R-Miss.) and Josh Hawley (R-Mo.) may release their own bills. These leaders should strive to meet the standards that the framework lays out.

Baseline privacy legislation must not preempt stronger state protections and laws–such as the California Consumer Privacy Protection Act that takes effect in 2020, biometric data protection laws such as those in Illinois and Texas, and data breach notification laws that exist in every state. States must be allowed to continue serving as “laboratories of democracy,” pioneering innovative new protections to keep up with rapidly changing technologies.  

In addition, federal privacy legislation must include a strong private right of action–a crucial tool consumers need to enforce their rights and change the behavior of powerful corporations – and establish safeguards against data practices that lead to unjust, unfair, manipulative and discriminatory outcomes.

For more information, see these fact sheets.