At the heart of Cantwell and McMorris Rogers' proposal is a much-needed paradigm shift in modern privacy policy. Americans trying to navigate their online lives today must face arcane terms of service that ultimately allow companies to do whatever they want with the data they collect from the people who use their services. It won't. This bill would impose obligations on companies to determine what information they collect and the services they provide, rather than letting users decide what information they are giving up and whether they are comfortable with that data collection. This will be limited to what is reasonable and necessary. If you can do without the service you are trying to access.
Two major compromises on previously unsolvable problems appear to have removed the biggest hurdles. On the question of whether individuals can sue violative companies, the bill does not create a waiting period for the public to file a lawsuit, as previously proposed. However, companies will be given an opportunity to correct violations before being penalized.
Some Republican senators may balk at the right of individuals to sue. Sen. Ted Cruz (R-Texas) has already complained about the possibility of the Federal Trade Commission becoming the “arbiter of internet speech and DEI compliance.” (This is likely related to the bill's prohibition on using personal data to discriminate on the basis of race, gender, or other protected characteristics.) But others Republicans appear likely to remain at the table. Ultimately, their concession led to a victory on the second major sticking point: whether new federal privacy laws preempt state laws on the same subject matter.
This bill would ensure uniform national standards for data privacy, preferable to a patchwork of contradictory and confusing state laws. Privacy advocates worried that strong state laws would be replaced by weaker federal laws. But the new proposals are likely to be as tough or tougher than what states have come together to date. Consider the Illinois law that protects biological and genetic information. The Cantwell-McMorris-Rogers bill takes particular care to include similar provisions to ensure these important protections are maintained. On the other hand, each state's “sector-specific laws'' that cover things like health care and student and employee privacy are not prioritized at all.
It's flawed. The FTC would be delegated sufficient authority to work with state attorneys general to not only enforce the law but also create broader rules and guidelines. However, the FTC is understaffed and underfunded and will need additional support. The agency's mandate includes creating a registry of data brokers with a “do not collect” mechanism available to consumers. That's wise. Data brokers scour the web for sensitive information and sell it to benevolent and unfavorable parties alike, from loan sharks to foreign spies. However, to delete data already held by these shady operators, consumers must visit each broker's individual website. It's a heavy enough lift that most people don't even try.
There is plenty of room to address small issues like this as the bill moves forward, although it is only a draft for discussion. But ambitious demands for stronger child protection in this bill should be set aside. The Senate is already on track to pass his two separate bills on the issue, the Children's Online Privacy Protection Rule and the Children's Online Safety Act. These complex proposals deserve consideration separately from pending federal privacy legislation. Tying them together could jeopardize both efforts.
Congress took too long to get to this point. Lawmakers should not waste their biggest opportunity yet to make Americans' online lives safer and more secure.