Americans have Want a federal privacy law That desire has been repeatedly thwarted over the years by intense lobbying by the tech industry and widespread incompetence by federal lawmakers. Well, by 2024, we may finally have a strong federal privacy law.
I say it again: it is possible.It is also technically possible Frogs may fall from the sky The skies above Lower Manhattan have blanketed New Yorkers with an amphibious spring rain, but is it really possible?
this U.S. Privacy Act The 2024 bill recently introduced by Cathy McMorris Rodgers (R-WA) and Maria Cantwell (D-WA) would establish basic digital privacy protections for Americans. The law, if enacted, would create a variety of protections and rights for consumers, including the ability to access, control and delete information collected by companies.
While this sounds like a good thing, privacy advocates seem concerned about one aspect of the legislation. The proposed law would eliminate potentially stronger state-level protections that currently exist. While privacy groups remain cautiously optimistic about APRA’s potential, they are also wary of its proposed preemption of state laws. If the currently proposed regulations appear strong, the legislative process has just begun and there is no telling what federal law will look like after a long and intense decision-making process.
Here’s a look at what the legislation currently promises and what privacy advocates say about it.
Access, control, deletion rights
The U.S. Privacy Bill would provide broad protections for Americans’ data, allowing consumers to access, control and delete data covered by the legislation. The policy would give all Americans the right to request information from entities that collect their data. The bill states that businesses subject to the law will need to comply with consumer requests within a “specified time frame.” The bill allows for certain exemptions from these provisions, including for small businesses (defined as companies with “annual revenue of $40,000,000 or less” or that collect, process, retain or transmit covered data of “200,000 or fewer individuals” corporations), as well as governments and “entities working on behalf of governments.”
data minimization
The bill would also mandate so-called “data minimization.” The idea here is to reduce the total amount of information a company can collect about web users. Supporters of the bill said companies covered by the legislation would not be able to “collect, process, retain or transfer data beyond what is necessary, appropriate or limited to providing or maintaining the product or service requested by the individual, or providing communications”. What is reasonably expected in the context of the relationship or within the permitted purposes. ” Again, while this sounds great, the devil is in the details, and it’s not entirely clear what this kind of data minimization will look like in real life.
What is covered data?
The bill defines the data covered by the legislation as follows:
…information that identifies or links or is reasonably linked to a person or device. It does not include de-identified data, employee data, publicly available information, inferences drawn from multiple publicly available sources that do not meet the definition of sensitive covered data and not combined with covered data, and information in libraries, archives, or Museum collections are subject to certain restrictions.
Gives the Federal Trade Commission powers
Enforcement of the law will occur at both the federal and state levels. The bill states that, most notably, the FTC would be responsible for developing regulatory and technical specifications for a centralized mechanism for “individuals to exercise” their right to opt out, as well as other technical issues surrounding enforcement of the legislation. At the same time, the bill authorizes “state attorneys general, chief consumer protection officers, and other state officials in federal district courts” to take enforcement actions against companies that violate the law.
Targeting the data brokerage industry
The bill also targets data brokers. Under the new legislation, the Federal Trade Commission would be authorized to establish a data broker registry that consumers could use to identify which companies are brokers and opt out of data collection by those companies. All data brokers that collect data on more than 5,000 people will be forced to re-register with the federal registry every year. Brokers, meanwhile, will be forced to maintain their own websites that identify them as data brokers and include a tool for consumers to opt out.
private right of action
Privacy advocates have long wished private right of action– A mechanism that allows individual consumers to sue companies that violate their rights. Many state privacy laws do not include this. Under the current version of APRA, consumers will be given a private right of action, allowing them to bring lawsuits against companies that have clearly violated their digital privacy rights.
Privacy advocates remain cautiously optimistic
Following years of inaction by federal regulators on privacy policy, state governments have passed a number of strong privacy laws over the past decade. Some of these laws, such as California’s CCPA, are very strong. The newly proposed federal law publicly acknowledges that it would eliminate the “existing patchwork of comprehensive state data privacy laws” and instead create “robust enforcement mechanisms to hold violators accountable.” The fact that APRA would preempt state laws worries some privacy advocates, who fear federal laws could be watered down. The fact that APRA now looks strong doesn’t mean much because it could easily be weakened by lobbyists during the legislative process.
Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center, said federal law preempting state-level regulation is appropriate only if it ends up being a strong law. “From our perspective, in an ideal world, it would not preempt state laws but rather allow states to pass stronger laws,” Fitzgerald said. “We recognize that compromise is necessary and this is a big sticking point. If it is going to preempt state law, it needs to be stronger than existing state law and regulations. We are still evaluating the bill to determine if the situation in this way.”
Other privacy advocates, such as the Surveillance Technology Oversight Project (STOP), have expressed similar concerns. “ADPPA does provide strong privacy protections, especially the data minimization rules,” said Will Owen, communications director at STOP. “But where the bill falls short is that it prevents states from taking stronger action if they want to. Worst of all, ADPPA preempts states from implementing protections, leaving them entirely in the hands of the U.S. executive branch, which The executive branch has been erratic in enforcing Americans’ privacy rights.”
Cody Venzke, senior policy counsel for the ACLU, said the group remains “concerned that the bill’s broad preemption of state laws will freeze our ability to respond to the changing challenges posed by technology. .”