A sweeping federal privacy bill unveiled Friday would give Americans unprecedented control over how companies collect and use their data.
The discussion draft was released by Sen. Roger Wicker, R-Miss., and Reps. Cathy McMorris Rodgers, R-Wash., and Frank Pallone, D-Mass. It represents the results of months of intense negotiations and is a step toward federal privacy protections long-awaited by civil society groups.
The 64-page privacy framework introduces a range of changes designed to give consumers more control over their data. It would require covered companies to limit data collection, allow consumers to turn off targeted advertisements, grant broad protections for Americans against discriminatory uses of their data and rein in third-party data collection.
The bill also carves out special protections regarding biometric data, a growing source of concern for privacy and human rights activists. Under the legislation, companies can only collect and share biometric data under specific instances including responding to a warrant and affirmative consent.
Civil society groups have urged Congress to prioritize passing a federal privacy bill before midterms when a shuffling of committee leadership could hinder efforts. Even with today’s step, however, the road to a federal privacy framework faces obstacles. Notably, the bill lacks the support of Senate Commerce Chairwoman Maria Cantwell, D-Calif., which could set back how quickly it moves through the committee. Axios reported Cantwell is circulating her own privacy legislation.
“For American consumers to have meaningful privacy protection, we need a strong federal law that is not riddled with enforcement loopholes,” Cantwell wrote in a statement to CyberScoop. “Consumers deserve the ability to protect their rights on day one, not four years later. Americans also deserve a law that imposes a duty of loyalty on the companies that collect and monetize personal data so that the companies cannot abuse that data.”
Also likely to spark controversy is the bill’s general preemption of state privacy frameworks, such as the ones introduced in states like California and Virginia. Some privacy advocates have expressed concerns that a federal framework would provide weaker protections than laws like California’s which allow residents to pursue damages for data violations.
It carves out exceptions for more specific state laws including those protecting student and employee privacy, laws on hacking and data theft and medical records. The legislation also exempts the Illinois Biometric and Genetic Information Privacy Act, which gives individuals in Illinois the right to sue over the violation of biometric data.
“This law would supersede the emerging state comprehensive privacy laws and effectively freeze privacy legislation for years to come,” Justin Brookman, head of tech policy at Consumer Reports tweeted. “So it needs to get it right. We’ve supported state bills that were imperfect-but-progress, but this legislation needs to meet a higher bar.”
Even so, civil society groups and industry see the step forward as a victory.
“We’re heartened to see bipartisan congressional movement on a federal privacy bill,” tweeted the Leadership Conference on Civil and Human Rights. “We look forward to working with congressional leaders to ensure strong civil rights protections are part of this important legislation.”
ITI President and CEO Jason Oxman said in a statement, “We appreciate the bipartisan momentum in the U.S. Congress to advance U.S. privacy protections and look forward to reviewing the specifics of the draft bill released today.”
The legislation, which gives the Federal Trade Commission enforcement powers for the framework, also received praise from both Republican FTC commissioners.
Updated 6/3/2022: To include comment from Senator Cantwell.