Top Senate Democrats unveil new online privacy bill, promising tough penalties for data abuse

The effort led by Sen. Maria Cantwell may face an uphill climb with Republicans

By:  Tony Romm
Source: The Washington Post

Senate Democrats on Tuesday proposed tough new punishments for Facebook, Google and other Silicon Valley tech giants that mishandle their users’ personal data, unveiling a sweeping new online privacy bill that aims to provide people their “Miranda rights” for the digital age.

The effort, led by Sen. Maria Cantwell, a Washington state Democrat who previously worked in the tech industry, marks a significant attempt by Congress to write the country’s first-ever national consumer-privacy law after years of false starts — and massive data scandals that illustrated the costs of the U.S. government’s inaction.

Cantwell’s bill, dubbed the Consumer Online Privacy Rights Act, would allow people to see the personal information that is amassed about them and block it from being sold. The measure also promises steep fines and opens the door for Web users to bring lawsuits, if social media sites, retailers and others engage in harmful practices and break the rules.

“You have to start saying these aspects of your life belong to you, and you have the right to decide how they’re used,” Cantwell said in an interview previewing the bill’s release.

A variety of lawmakers have introduced privacy proposals of their own in recent months, but Cantwell’s offering had been long-awaited because of her stature as the top Democrat on the chamber’s tech-focused Senate Commerce Committee. Her legislation, which is also backed by three other party lawmakers, signals the positions the Democrats will stake out on digital consumer protections as they continue to negotiate with Republicans.

But Democrats also face an arduous task in selling Republicans on some of their more ambitious ideas while withstanding a barrage of opposition from tech companies that long have avoided tough regulation. Those political forces and policy disagreements have prevented progress on privacy in Congress for decades — and threaten to do the same now, despite heightened fear that the tech industry’s insatiable thirst for data has outmaneuvered Washington’s ability to oversee it.

 “You’ve got the problem of entrenched businesses, who are going to push back,” said David Vladeck, a former privacy watchdog at the Federal Trade Commission who teaches at Georgetown Law. “Congress is trying to ensure both government and individual consumers can actually protect themselves if someone misuses their data or collects data without their permission."

Public-interest advocates for years have urged Congress to adopt data protections, arguing that Silicon Valley can’t be trusted to put people’s privacy over corporate profit. But it took several scandals — particularly Facebook’s entanglement with Cambridge Analytica, which jeopardized tens of millions of users’ personal information — to grab the attention of a wide swath of Congress, which quickly began to wonder whether tech giants had been left unrestrained for too long.

Senate lawmakers since then have held at least seven hearings on privacy and issued countless letters, statements and other fiery threats. Just over the past week, for example, Democrats and Republicans faulted Google for “secretly” collecting health records about patients, questioned Amazon for “egregiously lax” policies around its dealings with police and blasted Facebook for having “misled” users about location data.

But their sustained public thrashing of tech companies and their top executives often hasn’t translated to legislative action, with no privacy law on federal rule books more than 600 days after Facebook’s data abuses came to light. The absence of a federal privacy law stands in stark contrast to Europe, which started enforcing the world’s toughest data-privacy protections last year, and California, which will implement its own landmark rules come January. Golden State legislators specifically pointed to federal inaction as the reason they forged ahead with new data safeguards.

Cantwell’s bill shares some similarities with California’s rules, which her proposal, if passed, would leave intact — while allowing other states to pass privacy laws of their own. For example, the Democrats’ measure would grant Americans across the country the right to ask companies what information is collected about them, with whom it is shared and why. It also seeks to demystify the powerful, unseen algorithms that companies employ to analyze people about housing, credit or employment, then target them with ads.

Companies further would have to obtain a person’s permission to collect and share their sensitive data. Cantwell and her team defined the category broadly to include a wide array of information that could be linked to a person based on their browsing online or shopping in the real world, along with one’s precise location or biometrics, including scans of their face.

“We want to make sure we establish rights and responsibility — rights for consumers and responsibilities for those who collect, manage and transmit data,” said Sen. Brian Schatz (D-Hawaii), who joined with Sens. Edward J. Markey (D-Mass.) and Amy Klobuchar (D-Minn.) in sponsoring the bill.

To enforce the rules, Senate Democrats have proposed granting new powers to the FTC to police against a wide array of practices that could cause consumers harm. Under a decades-old law, the watchdog agency already can probe tech giants, but it often can’t bring tough punishments, including fines, until a company commits its second offense. Cantwell’s bill removes that obstacle for privacy investigations, while also setting aside financial penalties it obtains for a special consumer-relief fund.

It does not create an entirely new federal privacy agency, however, as some public-interest advocates have sought, partly out of concern that the tech industry is “already so big that it’s going to outmaneuver a lot of bureaucratic responses,” she said.

The proposal would open the door for state attorneys general to bring cases under federal law as well, and would permit people to sue tech companies if their privacy has been violated. Such lawsuits will probably spur immense controversy among Facebook, Google and other tech giants, which have fiercely advocated nationwide against granting Web users a private right of action. But the Democratic senator said these protections are essential to send a message to companies that repeatedly mishandle users’ data.

“There’s nothing like the CFO, CEO and the general counsel getting in a room and going, ‘You know, we could be sued for this,' ” Cantwell said. “Guess what that changes? Behavior.”

Such lawsuits also have drawn staunch, sustained opposition from Republicans, who are set to convene a hearing in early December to discuss privacy legislation. The leader of the Senate Commerce Committee, GOP Sen. Roger Wicker (Miss.), had been negotiating with Cantwell on a compromise for months. But Republicans and Democrats continue to quarrel over the details: GOP leaders have sought to make it difficult, or impossible, for states to adopt their own privacy protections, for example, which is non-starter for some Democrats.

His office did not respond to a request for comment.

Longtime privacy advocates acknowledged the tough task congressional lawmakers now face — selling a privacy measure to a distracted Congress in the midst of an impeachment proceeding and a looming presidential election.

“It’s going to be hard to get anything done before 2021 because I don’t think leadership has the interest, time or appetite for it,” said Justin Brookman, director of consumer privacy and technology policy at Consumer Reports, which offered lawmakers advice on crafting the measure.

But Cantwell insisted Democrats would hold their ground, including against the very tech giants that had successfully staved off regulation for so many years.

“There are those who just see the ‘ka-ching’ of this scenario, and they’re like, ‘Let’s have no rules,’ ” she said. “I don’t see them coming to the table on strong enforcement, but we’ll see.”