Security news that informs and inspires

When Privacy Goes to Washington

It’s been nearly a month since the United States had a functioning federal government, and precious little of consequence has happened on Capitol Hill in that time. But one of the issues that has sustained a level of interest throughout the shutdown is consumer data privacy, with Sen. Marco Rubio introducing a new bill this week to establish federal privacy regulations, and now Apple CEO Tim Cook is pushing for government oversight of data brokers.

Rubio’s bill is one of a number of privacy related pieces of legislation that have been introduced in Congress in recent months. Like a couple of the other proposed measures, the American Data Dissemination Act envisions the Federal Trade Commission playing a major role in the process. In his bill, Rubio (R-Fla.) directs the FTC to develop a broad set of regulations for the way that Internet service providers handle user data, with the Privacy Act of 1974 as the basis. That law dictates the way that federal agencies can collect, store, and distribute personal information, but doesn’t apply to private entities.

Rubio’s bill requires the FTC to “submit to the appropriate committees of Congress detailed recommendations for privacy requirements that Congress could impose on covered providers that would be substantially similar, to the extent practicable, to the requirements applicable to agencies under the Privacy Act of 1974.”

The introduction of the ADD Act follows by a month the introduction of the Data Care Act, a bill with 15 Democratic sponsors that would establish the FTC as the enforcement agency for a new set of privacy rules to govern the way companies protect customer information. That bill provides substantial fines for violations and has a number of requirements, including one that prohibits service providers from using customer data in a way that “will benefit the online service provider to the detriment of an end user”.

Sen. Ron Wyden (D-Ore.) also has released a discussion draft of another privacy bill. Wyden’s Consumer Data Protection Act uses the FTC for enforcement and would fine companies that violate the rules up to four percent of their annual revenue. For his part, Rubio said it’s time that Congress take some action on consumer privacy, something that has been done on a state-by-state basis or through industry regulation.

“There has been a growing consensus that Congress must take action to address consumer data privacy,” Rubio said. “However, I believe that any efforts to address consumer privacy must also balance the need to protect the innovative capabilities of the digital economy that have enabled new entrants and small businesses to succeed in the marketplace.”

"We believe the Federal Trade Commission should establish a data-broker clearinghouse, requiring all data brokers to register."

In his bill, Rubio requires services providers to give consumers access to any records the provider holds upon request and have a mechanism for deleting records when necessary or required. Apple’s Cook has similar ideas. In an opinion piece in Time this week, Cook criticized the sale and resale of consumer information through the vast network of data brokers, a practice that’s largely invisible to consumers and unregulated by the government. Cook recommended that the FTC have responsibility for regulating data brokers, a task for which the commission probably is better suited than establishing privacy regulations.

“Meaningful, comprehensive federal privacy legislation should not only aim to put consumers in control of their data, it should also shine a light on actors trafficking in your data behind the scenes. Some state laws are looking to accomplish just that, but right now there is no federal standard protecting Americans from these practices,” Cook wrote.

Many consumers are unaware that data brokers even exist, let alone how they buy, store, and sell large chunks of personal information. These companies don’t fall under most existing regulations for financial firms or other companies that hold sensitive data, so Cook’s proposal is for a regulatory body to oversee data brokers and an option for consumers to delete data whenever they choose.

“That’s why we believe the Federal Trade Commission should establish a data-broker clearinghouse, requiring all data brokers to register, enabling consumers to track the transactions that have bundled and sold their data from place to place, and giving users the power to delete their data on demand, freely, easily and online, once and for all,” Cook wrote.