Professional Documents
Culture Documents
A
As these tensions swelled in the first
lot of blood, sweat and tears have quarter of 2019, numerous lawmakers
been spilled this year over privacy and organizations offered proposals or
regulation in the United States. recommendations regarding a new federal
Indeed, at the beginning of 2019, legislative U.S. data privacy law. To shine more light
developments related to privacy and data on the specific provisions that are being
protection at all levels of government debated, we look here at a set of the most
showed no signs of slowing down. At the recent bills that have been introduced in
center of these developments has been Congress, including the Consumer Data
the California Consumer Privacy Act. Protection Act introduced by Sen. Ron
Since it was signed into law in June 2018, Wyden, D-Ore., the Data Breach Prevention
the CCPA has ignited heated discussions and Compensation Act of 2018 introduced
within privacy circles regarding its scope, by Sen. Elizabeth Warren, D-Mass., the Data
provisions and exceptions and has forced Care Act of 2018 proposed by Sen. Schatz,
privacy professionals to re-examine their D-Hawaii, in early December 2018, the
organizations’ practices and compliance Privacy Bill of Rights Act introduced by Sen.
efforts. According to Chad Marlow of Edward Markey, D-Mass, the Algorithmic
the American Civil Liberties Union, the Accountability Act of 2019 introduced by
increasing number of state-level efforts to Sens. Cory Booker, D-N.J., and Ron Wyden,
pass privacy laws indicates that states have D-Ore., and Rep. Yvette Clarke, D-N.Y., the
reached a tipping point where, “if Congress Do Not Track Act introduced by Sen. Joshua
is not willing or able to enact strong privacy Hawley, R-Mo., the Designing Accounting
laws, their legislatures will no longer sit on Safeguards to Help Broaden Oversight and
their hands.” Regulation on Data introduced by Sens.
Mark Warner, D-Va., and Josh Hawley,
In response to these developments, R-Mo., and the Information Transparency
discussions within the U.S. Congress about and Personal Data Control Act introduced
passing a federal U.S. privacy and data by Rep. Suzan DelBene, D-Wash.
protection law have intensified over the
past few months. At the end of September Further, we also examine a selection
2018, the IAPP’s Jedidiah Bracy, CIPP, of recommendations made in
covered the details of a Senate hearing comments submitted to the National
about privacy legislation, sharing the initial Telecommunications and Information
reactions of key actors in the process. In Administration from across government,
another IAPP piece, Bracy wrote about the industry and advocacy organizations
privacy advocacy groups that voiced their in response to a set of desired privacy
dissatisfaction with not being included outcomes. These broad outcomes
in the hearings, which mostly involved include transparency, control, reasonable
representatives from industry. minimization, security, access and correction,
risk management and accountability.
• Opt-in consent for personal data On Nov. 1, 2018, Sen. Ron Wyden, D-Ore.,
collection and its sharing with third released a discussion draft of the Consumer
parties. Data Protection Act, along with a section-
by-section analysis and one-page summary
Covered entities would also have to notify Introduced by Rep. Suzan DelBene, D-Wash.,
users who are not using the DNT that the Information Transparency & Personal
it is available from the public website Data Control Act is intended to give
of the FTC. Entities would also have to consumers more control over their data by
notify users not sending the DNT signal implementing an opt-in model of collection
about their collection of any data “beyond and “plain English” privacy policies. Like
what is necessary” for it to operate the other proposals, it would enhance the
website, service or application. Critically, authority of the FTC, giving it greater power
the act considers data that is collected to fine companies while also increasing
“for the purpose of displaying targeted the number of full-time FTC staff by 50 (15
advertisements” to fall under this definition of whom must be “technical experts”) and
of “more data than is necessary.” its budget by $35 million. The bill would
also require companies to acquire “privacy
In terms of penalties, those for actions that audits” by “a neutral third party” and submit
constitute a “negligent violation” would not those results every other year to the FTC.
be in excess of $50 per affected user, while
penalties for actions that constitute a “will Of note, the bill considers “sensitive
or reckless violation” cannot be less than personal information” to encompass
$100,000 but would also not exceed $1,000 genetic data, geolocation data and
per affected user. information about religious beliefs and
sexual orientation.
Designing Accounting Safeguards to
Help Broaden Oversight and Regulation Other Draft Bills
on Data
Several other bills are reportedly in the
Another bill introduced by Sens. Mark works, although drafts of them have not
Warner, D-Va., and Josh Hawley, R-Mo., is been yet introduced or made publicly
aimed at forcing social media companies available. In the Senate, Commerce,
to disclose how they monetize user data. Science and Transportation Committee
The DASHBOARD Act, a bipartisan piece Chairman Sen. Roger Wicker, R-Miss.,
of legislation, would require services with along with fellow members Sens. Jerry
more than 100 million monthly active users Moran, R-Kan., Richard Blumenthal,
to disclose the types of data they collect, D-Conn., and Brian Schatz, D-Hawaii, has
as well as to assess the value of that data. been working for several months on a bill
Covered commercial data operators would that would, according to Senate aides,
also be required to file annual reports on enhance the FTC’s powers and preempt
the “aggregate value” of the user data they state privacy laws.
Published 10/10/2019
iapp.org
Right Right to Right Private
of correct or to data Opt-in right of Data breach Risk
Bill Sponsors access delete PI portability consent action notifications assessments
Consumer Data Sen. Ron
Protection Act Wyden X X X X
of 2018
Data Breach Sen. Elizabeth
Prevention and Warren
X X
Compensation
Act
Innovative and Intel
Ethical Data Corporation
X X X X
14
Right Right to Right Private
iapp.org
of correct or to data Opt-in right of Data breach Risk
Bill Sponsors access delete PI portability consent action notifications assessments
Algorithmic Sens. Cory
Accountability Booker and
Act of 2019 Ron Wyden; X
Rep. Yvette
Clarke
Do Not Track Sen. Joshua
X
Act Hawley
Designing Sens. Mark
Accounting Warner and
Safeguards to Josh Hawley
15
Table 2. Support for Provisions within a Sub-Sample of Comments Submitted to NTIA*
* A marked box indicates only that the proposal explicitly favored inclusion of this right or principle, albeit with exceptions in some instances; an empty
iapp.org
box should not necessarily be considered lack of support for or objection to inclusion (some entities are policy-neutral and took no position).
Right to Private
Right of correct or Right to data Opt-in right of Data breach Risk
access delete PI portability consent action notifications assessments
Access Now X X X X X
Amazon X
American Civil Liberties
X X
Union
American Library
Association
16
Right to Private
Right of correct or Right to data Opt-in right of Data breach Risk
iapp.org
access delete PI portability consent action notifications assessments
Center for Digital
X X X X X X X
Democracy
Center on Privacy &
Technology at Georgetown X X X X
Law
Centre for Information
X X X X
Policy Leadership
Charter Communications,
X
Inc.
Computer &
Communications X X X X X
17
Right to Private
Right of correct or Right to data Opt-in right of Data breach Risk
iapp.org
access delete PI portability consent action notifications assessments
Information Accountability
X X X
Foundation
Intel Corporation X X
International Association
of Privacy Professionals
Internet Association X X X X X
ISACA X X X
Landua, Susan
Motion Picture Association
of America, Inc.
18