Privacy Laws Post Cambridge Analytica
Lawmakers have moved quickly to introduce new legislation
In response to Facebook’s data privacy scandal, lawmakers from the House and Senate have moved quickly to introduce legislation surrounding voter data privacy.
At least 24 states and the District of Columbia are in the process of introducing or discussing measures requiring internet and telecommunications providers to keep specified information confidential.
Currently only Nevada and Minnesota require internet service providers (ISPs) to keep private information concerning their customers unless the customer gives permission to disclose it. Additionally, only Minnesota requires ISPs to get permission from subscribers before disclosing information about their online surfing habits.
Checking the official Congress website, we can see all the active proposals put forth by lawmakers. Here’s a quick guide to Acts that have been introduced to protect consumer data privacy and uphold transparency online.
My DATA Act of 2017 or Managing Your Data Against Telecom Abuses Act of 2017
Purpose: To protect broadband users from unfair or deceptive practices relating to privacy or data security, and for other purposes.
This bill is aimed at Internet Service Providers and allows the Federal Trade Commission to pursue regulations against ISPs for using unfair or deceptive acts or practices relating to privacy or data security. Under the current law, the FCC can only punish “edge providers” that offer services to the user. Think of Twitter, Facebook, Apple, or Google.
The My DATA Act would also allow the FTC to create and enforce rules protecting privacy.
Commercial Privacy Bill of Rights Act 2017
Purpose:To establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission, to amend the Children’s Online Privacy Protection Act of 1998 to improve provisions relating to collection, use, and disclosure of personal information of children, and for other purposes.
The goal for this bill is to create a comprehensive protective framework around consumers’ personal data. This bill emphasizes the need for personalized control over data and restricting what personal information companies can access and have, with an additional focus on the digital rights of minors.
BROWSER Act of 2017 or Balancing the Rights Of Web Surfers Equally and Responsibly Act of 2017
Bill Number: H.R 2520
Purpose: To require providers of broadband internet access service and edge services to clearly and conspicuously notify users of the privacy policies of such providers, to give users opt-in or opt-out approval rights with respect to the use of, disclosure of, and access to user information collected by such providers based on the level of sensitivity of such information, and for other purposes.
This bill proposes that ISPs and specific web services must have a user’s consent before using certain types of personal, sensitive data..This bill is the Republican response to the Democrat sponsored My DATA bill.
Opt-in approval through the user’s express consent must be obtained for the use of sensitive information that is:
- financial information,
- health information,
- about children under 13,
- Social Security numbers,
- precise geo-location information,
- content of communications,
- web browsing history, or
- history of usage of a software program or mobile application.
The bill allows a service provider to use information without approval for specified purposes, including services necessary for provision of the service and to initiate, render, bill, and collect for the service.
The bill prohibits providers from conditioning service on a user’s agreement to waive privacy rights.
CONSENT Act or Customer Online Notification for Stopping Edge-provider Network Transgressions
Bill Number: S. 2639
Purpose: To require the Federal Trade Commission to establish privacy protections for customers of online edge providers, and for other purposes.
This Democrat sponsored bill requires web services to get opt-in and opt-out agreement to use personal data from users and to alert them when there’s been a data breach.
Cyber Shield Act of 2017
Purpose: To establish a voluntary program to identify and promote Internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes.
Although this bill doesn’t set restrictions or penalties on ISPs or web services’ use of data, it does establish an overarching need to have a governmental body that can dictate data security practices.
Secure and Protect Americans’ Data Act
Bill Number: H.R.3896
Purpose: To require certain entities who collect and maintain personal information of individuals to secure such information and to provide notice to such individuals in the case of a breach of security involving such information, and for other purposes.
This bill is more related to the 2017 Equifax breach than Facebook privacy scandal, but was reintroduced when Cambridge Analytica broke. This bill delineates steps that private companies must take in order to protect against hacking and establishes new requirements on companies that experience data breaches.
Data Broker Accountability and Transparency Act of 2017
Bill Number: S.1815
Purpose: To require data brokers to establish procedures to ensure the accuracy of collected personal information, and for other purposes.
This bill addresses an issue that goes hand in hand with data privacy: transparency. This Democratic bill prohibits data brokers, defined as any commercial entity that collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or provide third-party access to the information, from gathering personal or sensitive information from users using “bait and switch” tactics. For example, if a user were to sign up for an online raffle, their information could not be gathered and sold to other companies.
Data Security and Breach Notification Act
Purpose: To protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a breach of security.
Like the Secure and Protect American’s Data Act, this bill focuses more on issues related to the Equifax Breach and requires entities that collect consumer data to establish reasonable security procedures and for immediate nationwide notification when a security breach is discovered.
Protecting Children from Identity Theft Act
Status: Passed House
Purpose: The purpose of this section is to reduce the prevalence of synthetic identity fraud, which disproportionally affects vulnerable populations, such as minors and recent immigrants, by facilitating the validation by permitted entities of fraud protection data, pursuant to electronically received consumer consent, through use of a database maintained by the Commissioner.
This bill requires the Social Security Administration (SSA) to develop a database to facilitate the verification of consumer information upon request by a certified financial institution. Such verification shall be provided only with the consumer’s consent and in connection with a credit transaction. Users of the database shall pay system costs as determined by the SSA.
Although this not directly related to the issues that cropped up due to the Facebook scandal, the crux of this act centers around distribution of information with the consumer’s consent.
Black Box Privacy Protection Act
Bill Number:H.R 3568
Purpose: To require manufacturers to disclose to consumers the presence of event data recorders, or “black boxes”, on new automobiles, motorcycles, and autocycles, and to require manufacturers to provide the consumer with the option to enable and disable such devices on future automobiles, motorcycles, and autocycles.
This bill forces automotive companies to disclose if they’re tracking consumers or gathering data on their vehicles or locations. This data hasn’t traditionally been sold, but many companies have expressed interest in finding ways to monetize this data. Although less directly related to internet services right now, many internet companies have branched out into being hardware providers (Amazon Echo, Google Home, etc.), and the implications for managing data collected by hardware can easily be extended to them.
This is just a quick summary of Acts that have been introduced in Congress. You can check the status of these bills on the official Congress website. If you’d like more granularity you can look at the acts introduced state by state via the National Conference of State Legislatures’ Privacy Legislation Related to Internet Service Providers page.
Click here to see updated bills from the House and the Senate.