Security news that informs and inspires

Lawmakers Release Federal Data Privacy Draft Bill

Several House and Senate members have released a draft proposal for a national data privacy bill, called the American Data Privacy and Protection Act, which aims to establish a framework for better protecting consumer data privacy and security.

The 64-page draft legislation addresses several key issues related to data privacy, including third-party data collection policies, opt-out mechanisms for consumers and the privacy of biometric information. The overarching goal of the act is to protect citizens against the “discriminatory use of their data,” according to the bill.

“This bill strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress, including the development of a uniform, national data privacy framework, the creation of a robust set of consumers’ data privacy rights, and appropriate enforcement mechanisms,” said Sen. Roger Wicker (R-Miss.), Rep. Frank Pallone (D-N.J.) and Cathy McMorris Rodgers (R-Wash) in a Friday statement. “We believe strongly that this standard represents the best opportunity to pass a federal data privacy law in decades, and we look forward to continuing to work together to get this bill finalized and signed into law soon.”

Specifically, the American Data Privacy and Protection Act would require organizations to limit the amount of data that they collect and share. As part of this, companies can only collect information that is “reasonably necessary, proportionate, and limited,” with the Federal Trade Commission (FTC) being in charge of determining specifically what that would entail. The act would also give consumers more control over their data, requiring an option to allow end users of services to turn off targeted advertisements and opt out of the transfer of data to a third-party entity. And, the bill would set up data protections for minors, prohibiting targeted advertising if companies know a consumer is under 17.

Privacy experts have previously called for such a law, but developing a federal privacy law comes with different levels of complexity and difficult questions, including who should enforce the mandates, what kind of penalties should exist for companies that don’t comply with the rules and how to create regulations without stifling innovation.

“In the coming weeks, we will be working with our colleagues on both sides of the aisle to build support and finalize this standard to give Americans more control over their personal data.”

The American Data Privacy and Protection Act aims to tie up these loose ends. Within a year of the legislation being enacted, the FTC would be required to set up a new bureau that would be the authority power for parts of the act. Among other things, the act would require the FTC to issue guidance on policies that companies must follow in collecting, processing and transferring covered data. The FTC is also in charge of tracking third-party collecting entities that process covered data of more than 5,000 individuals through a registration process.

Meanwhile, a violation of the act by companies would be considered “an unfair or deceptive act or practice under the FTC Act, meaning it may obtain civil penalties for initial and subsequent violations, among other relief,” according to the draft legislation.

Dena Kozanas, director of MITRE’s Center for Data Privacy and Protection, commended the draft release as "a positive step towards continued momentum in the debate on a national standard for data collection and protection."

"This new attempt at a national privacy law seems to include provisions that can address concerns from all stakeholders; however, it will be critical to seize on this opportunity to reach a final agreement on all the details that are important to corporations, consumers, and practitioners," said Kozanas. "Overall, this is a welcome step forward in a meeting of the minds on such an important part of our everyday life."

Though privacy laws exist in several states - including California, Virginia and Colorado - the U.S. does not yet have an all-encompassing federal data privacy law, which would act as a comprehensive measure to protect consumers’ private data from being misused, even in states without regulations. The American Data Privacy and Protection Act for its part would preempt most of these existing state laws, according to the draft legislation.

Several federal bills have been proposed over the years addressing data privacy, including one introduced in July called The Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act; as well as previous efforts like the Information Transparency and Personal Data Control Act introduced in March by Rep. Suzan DelBene (D-Wash). But lawmakers say that the American Data Privacy and Protection Act is unique in that it is the first comprehensive privacy proposal to gain bipartisan, bicameral support.

“This bipartisan and bicameral effort to produce a comprehensive data privacy framework has been years in the making, and the release of this discussion draft represents a critical milestone,” Wicker, Pallone, and Rodgers said in a statement. “In the coming weeks, we will be working with our colleagues on both sides of the aisle to build support and finalize this standard to give Americans more control over their personal data.”