CDT Says House Privacy Draft Is Major Shift; Industry Raises Concerns
The House Consumer Protection Subcommittee’s privacy draft bill is a significant shift in the privacy debate, but more compromise is needed, the Center for Democracy & Technology commented Friday. Public Knowledge, the Internet Association, CTA and BSA|The Software Alliance offered suggestions for improving the legislation by Friday’s subcommittee deadline (see 2001080072).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The draft is “arguably the most aggressive, or one of the most aggressive, proposals from leadership,” said CDT Privacy & Data Project Director Michelle Richardson, saying it shows the debate has shifted in the past year or two. It includes items once considered off the table: civil rights protections, data security and use limitations. CDT recommended continued work to find middle ground. The legislation is “truly comprehensive” and covers “everyone and substantively covers transparency, individual controls, and corporate responsibilities,” she said.
The bill should include meaningful private right of action and shouldn’t pre-empt state law, PK said. PK welcomes the draft’s “prohibitions on discriminatory uses of data” and granting the FTC “more resources, regulatory flexibility through rulemaking authority, and first-instance civil penalty authority,” said Policy Counsel Dylan Gilbert. The group has reservations about certain provisions that “afford companies too much latitude to dishonor consumers’ and users’ fundamental right to privacy online and take the teeth out of the law’s enforcement and accountability mechanisms.”
IA suggested changes to add focus on FTC rulemaking requirements and strengthen the agency as lead enforcer. IA suggested the bill authors delete a section about consumer data use and processing transparency because those are covered in privacy policies. Instead, focus on “consumer access rights on obtaining that specific consumer's personal information or specifying that when replying to an access request, the covered entity should provide a link to the privacy policy,” a spokesperson said. The association recommended clarifications on responsibilities for “obtaining consent for specific processing and to properly describe the purposes of processing that is allowed in the contract.” The organization suggested contractual requirements mirror other privacy regimes like EU’s general data protection regulation. IA supports “increased transparency around how data is used, as well as user controls, such as the ability to access, correct, delete, download, and exercise choice."
CTA supports narrowly tailored FTC rulemaking authority under a federal privacy bill that pre-empts states in creating a unified national standard, said Vice President-Government Affairs Jamie Boone. CTA “strongly opposes” a private right of action, Boone said, arguing for the FTC and state attorneys general to lead enforcement. It also raised proprietary concerns about bill provisions calling for “detailed descriptions and disclosures of data practices, algorithms, decision-making, inferences, and pricing strategies.”
BSA wants to work with the committee to ensure user rights and industry obligations are “as clear as possible,” said Vice President-Legislative Strategy Craig Albright. BSA welcomed the comprehensive bill establishing a full set of user rights and obligations. “All companies have critical responsibilities in protecting consumer rights, and all companies should have strong obligations that fit their role in handling consumers’ data,” he said: The bill is another sign of bipartisan consensus for establishing a federal privacy law.