champion innovation

A new federal privacy bill overdoses on empowering agencies over helping consumers

Late last week, a discussion draft of a new federal privacy bill was uploaded to the cloud server of the US Senate Commerce Committee and made public.

The bill, known as the American Privacy Rights Act, is the latest serious attempt by a bipartisan cohort of congressional legislators to address Americans’ privacy rights online, as well as the obligation of companies, nonprofits, and organizations that cater to them.

There are been numerous attempts at national privacy bills, but this is the first version that seemingly has bipartisan agreement across both the US House and Senate.

At the Consumer Choice Center, we have long championed the idea of a national privacy law, putting forth what we believe are the important principles such a law should have:

  • Champion Innovation
  • Defend Portability
  • Allow Interoperability
  • Embrace Technological Neutrality
  • Avoid patchwork legislation
  • Promote and allow strong encryption

Now that a serious bill has been put forward, authored by Sen. Maria Cantwell (D-WA) and Rep. Cathy McMorris Rogers (R-WA), both chairs of the Commerce Committee in their respective congressional chambers, we’ll address what we consider to be helpful but perhaps also harmful to both consumer choice and future tech innovation if this bill remains in its current form.

Granted, this is a working draft of the bill, and will (hopefully) be updated after feedback. For those who are interested, here’s the latest primer on the bill from the bill authors.

I also provided some additional comments on this bill in a recent Q&A with Reason Magazine, which I’d encourage you to read here if you’re interested.

Off we go.

What’s to like:

A national privacy law is both necessary and welcomed. Not only because it would override the overly stringent state-level privacy laws in places like California and Virginia, but because it would provide uniform policy for consumers and companies that wish to offer them goods and services. 

And also because, as compared to the European Union and other countries, our privacy rights as Americans differ widely depending on the services or sectors we interact with, our IP address, and where we happen to live. And considering the hundreds of privacy policies and terms of service we accept each and everyday, there are vastly different frameworks each of these contracts import.

Here are some positives on the American Privacy Rights Act:

  • Preemption of state privacy laws is a good measure introduced in the bill, particularly when it comes to the strict and overbearing California privacy law, which has become a standard bearer due to California’s huge population and company base.
    • This provides legal stability and regulatory certainty, so that consumers can know their particular rights nationwide, those who interact with these laws can begin to learn and implement them, and there is universality that protects everyone.

  • Data portability is an important principle and could conceivably become an easily enforceable section of privacy legislation. This should be both reasonable and accessible. This would include the exporting of information collected by a particular service or app, as well as any key account details, so that information can be ported over to competing services if consumers want to change things up.
    • Examples: open banking, exportable social profiles, info, etc.
    • Ideally, this information would be exportable using non-proprietary data formats.

  • Transparency on what data is collected and by whom (mostly data brokers) is also a good measure included in the bill. Most tech services and app stores have made this a key feature of what they provide because it’s important to consumers.
    • A registry of data brokers, which would be required, seems inoffensive and would be a good measure of transparency, as would a privacy policy requirement, which most sites already provide and which major app stores require.
    • However, as we’ll mention later, government agencies (particularly law enforcement) are not barred from interacting with data brokers to circumvent warrants, which puts a lot of data of Americans at risk.
      • Sen. Ron Wyden (D-OR) introduced S.2576, the Fourth Amendment Is Not For Sale Act, to deal with this issue and its counterpart in the House successfully passed yesterday.

These three points found throughout the bill do measure up to the principles we’ve outlined in the past. Data portability, avoiding patchwork legislation, and transparency over what data is collected and what isn’t. Most online services already offer this information in privacy policies, and when mediated through cell phone or computer app stores, consumers have direct insight into what is collected.

This is a good starting point, and does demonstrate that the legislators are working in good faith to try to protect Americans’ privacy.

But while those are important, these should also be balanced with consumer access to innovative goods and services, which are cornerstone to our ability to choose the technology we want.

What’s not to like:

While a strong national privacy law is vital, we should also make certain that it is balanced, appropriate, and fair. Consumer protection is an overarching concern, but so should responsible stewardship of data if consumers want it, as well as the ability to access innovation to improve our lives.

These aspects of the bill are more troublesome, as they would likely invite more problems than they would solve.

  • An outright veto on targeted advertising is unworkable and would ultimately work against consumers. It would also basically cut off an important revenue source for most online services that consumers appreciate and use everyday.
    • This algorithmic style of reaching out to willing users implements geo-targeting and personalization, which are key to the consumer experience, and are a willing trade-off for consumers who want to use free or otherwise heavily discounted services.
    • They are also a prime concern for small businesses who rely on targeted ads to reach their customers, whether that be through ads online
    • At the same time, the prohibition on large social media companies offering paid subscription plans to those who don’t want to participate in targeted advertising seems counterintuitive and goes against the spirit of what is trying to be achieved here.
    • A privacy bill is supposed to be about giving consumers ultimate autonomy and decision rights, not outlawing a particular business model.

  • Inventing a right of “opt-out” would necessarily create several tiers of consumers, and would complicate virtually any business’ attempt to collect necessary information on their consumers. It would be a de-facto ban on targeted advertising, as social media services specifically would also be unable to offer “paid” versions to their users, and small businesses would not be able to use social networks to advertise to consumers who they believe would like to buy their goods or use their services.

  • Data minimization is a good principle, but it’s an unworkable legal standard because it would vary so widely depending on any app, nonprofit, or company.
    • Data needs change depending on how firms and organizations evolve, and whatever standard this law would enforce would likely make it more difficult for companies to scale and offer better and more affordable services to consumers in the future.

  • One of the more offensive parts of the bill would be the private right of action, which would be more encompassing than any privacy bill in the world. It would also not allow suits to be settled in arbitration, meaning every lawsuit – no matter its merits – will have to be reviewed by a judge.
    • Private right of action would empower plaintiff attorneys and deter innovation on the part of firms, vastly bloating our justice system.
    • This wouldn’t be positive for consumers, as it would likely raise the cost of goods and services, and would generally add to the overall litigious nature of the US judicial system.
    • At the Consumer Choice Center, we’ve long campaigned on rolling back the excesses of our tort law system and introducing simple legal reforms to better serve those who are legitimately harmed by companies.

  • 🚨The bill exempts government agencies at every level from any privacy obligations. This is a glaring red flag, especially considering the amount of sensitive data that has been routinely leaked, hacked, or made available to the public when it shouldn’t have been. Exempting government agencies from privacy rules is an egregious mistake.
    • If a state’s database of say, gun owners, is leaked (as happened in California). No crime, no foul. The same if a local or city government leaks your income information, Social Security number, healthcare data, or any other type of information. This should be immediately addressed in the bill to introduce parity.

  • Prior restraint for algorithms, which gives the Federal Trade Commission and other agencies veto power on all “computer processes” before they can be used by the public. This means the FTC would need access to all algorithms and AI innovations before launch, which would absolutely have a chilling effect on innovation and restrict entrepreneurial data projects and development of AI models.
    • This would be a huge VETO on American free enterprise and the future of tech innovation in our country, and risk exporting our best and brightest abroad.

  • The FTC would be responsible for the enforcement of these rules, as well as state attorneys generals, but a lot would be litigated in private rights of action (torts, etc.), which would generally favor incumbents who have the resources to comply. So while much of this bill is aimed at trying to reign in “Big Tech,” they paradoxically will likely be the only firms with the significant power to comply.
    • In addition, the Department of Justice and the FTC have built a reputation as anti-tech forces in our federal government. Would this newfound power lead to better goods and services for consumers, or more limited options that would bode well with regulatory authorities for ideological purposes. This is a difficult pill to swallow in either case.

Is there another way forward?

Assuming most of the glaring issues with this bill are fixed – the soft ban on targeted advertising, exempting of government agencies, empowerment of bogus lawsuits by private right of action, the inability to bring cases to arbitration, FTC’s powerful veto power over algorithmic innovation – there are elements that are favorable to those who want a good balance of consumer choice and innovation in our economy while protecting our privacy.

While all these are measures that a national privacy bill could address, there is still much more that we as individuals can do ourselves, using tools that entrepreneurs, developers, and firms have provided to us to be both more private and free. We hope legislators will take these concerns seriously, and amend some of these provisions in the draft bill.

The normalization of end-to-end encryption in messaging, data, and software has been a great counterbalance to the endless series of leaks, hacks, and unnecessary disclosures of private data that have caused objective harm to citizens and customers. We hope this is encouraged and becomes default for digital services, as well as remains protected for use by both firms and consumers.

For another view, the International Center on Law and Economics has an interesting paper on the idea of “choice of law” as the better approach for privacy rights, opening up selection of a particular privacy regime to market choice rather than top-down legislation, similar to private commercial courts in the United Arab Emirates. This would allow states to compete for business by offering the most balanced privacy law, which could spurn a lot of innovative thinking about better ways to approach this.

That said, this is technically how it has been de facto practiced in the country today, and California has won by default owing to its large population. I’m not sure we would be able to trust too many other states to craft balanced but effective privacy laws that wouldn’t create more trouble than it would solve. But I would be happy to be proven wrong.

While this privacy bill is ambitious, and covers a lot of ground that is vital for privacy concerns, there are still many elements that would require sweeping changes before it should be palatable for consumers who desire choice, prefer innovation, and what to ensure that our society remains both free and prosperous.

Scroll to top