federal privacy bill

A new federal privacy bill overdoses on empowering agencies over helping consumers

Late last week, a discussion draft of a new federal privacy bill was uploaded to the cloud server of the US Senate Commerce Committee and made public.

The bill, known as the American Privacy Rights Act, is the latest serious attempt by a bipartisan cohort of congressional legislators to address Americans’ privacy rights online, as well as the obligation of companies, nonprofits, and organizations that cater to them.

There are been numerous attempts at national privacy bills, but this is the first version that seemingly has bipartisan agreement across both the US House and Senate.

At the Consumer Choice Center, we have long championed the idea of a national privacy law, putting forth what we believe are the important principles such a law should have:

Champion Innovation
Defend Portability
Allow Interoperability
Embrace Technological Neutrality
Avoid patchwork legislation
Promote and allow strong encryption

Now that a serious bill has been put forward, authored by Sen. Maria Cantwell (D-WA) and Rep. Cathy McMorris Rogers (R-WA), both chairs of the Commerce Committee in their respective congressional chambers, we’ll address what we consider to be helpful but perhaps also harmful to both consumer choice and future tech innovation if this bill remains in its current form.

Granted, this is a working draft of the bill, and will (hopefully) be updated after feedback. For those who are interested, here’s the latest primer on the bill from the bill authors.

I also provided some additional comments on this bill in a recent Q&A with Reason Magazine, which I’d encourage you to read here if you’re interested.

Off we go.

What’s to like:

A national privacy law is both necessary and welcomed. Not only because it would override the overly stringent state-level privacy laws in places like California and Virginia, but because it would provide uniform policy for consumers and companies that wish to offer them goods and services.

And also because, as compared to the European Union and other countries, our privacy rights as Americans differ widely depending on the services or sectors we interact with, our IP address, and where we happen to live. And considering the hundreds of privacy policies and terms of service we accept each and everyday, there are vastly different frameworks each of these contracts import.

Here are some positives on the American Privacy Rights Act:

Preemption of state privacy laws is a good measure introduced in the bill, particularly when it comes to the strict and overbearing California privacy law, which has become a standard bearer due to California’s huge population and company base.
- This provides legal stability and regulatory certainty, so that consumers can know their particular rights nationwide, those who interact with these laws can begin to learn and implement them, and there is universality that protects everyone.

Data portability is an important principle and could conceivably become an easily enforceable section of privacy legislation. This should be both reasonable and accessible. This would include the exporting of information collected by a particular service or app, as well as any key account details, so that information can be ported over to competing services if consumers want to change things up.
- Examples: open banking, exportable social profiles, info, etc.
- Ideally, this information would be exportable using non-proprietary data formats.

Transparency on what data is collected and by whom (mostly data brokers) is also a good measure included in the bill. Most tech services and app stores have made this a key feature of what they provide because it’s important to consumers.
- A registry of data brokers, which would be required, seems inoffensive and would be a good measure of transparency, as would a privacy policy requirement, which most sites already provide and which major app stores require.
- However, as we’ll mention later, government agencies (particularly law enforcement) are not barred from interacting with data brokers to circumvent warrants, which puts a lot of data of Americans at risk.
  - Sen. Ron Wyden (D-OR) introduced S.2576, the Fourth Amendment Is Not For Sale Act, to deal with this issue and its counterpart in the House successfully passed yesterday.

These three points found throughout the bill do measure up to the principles we’ve outlined in the past. Data portability, avoiding patchwork legislation, and transparency over what data is collected and what isn’t. Most online services already offer this information in privacy policies, and when mediated through cell phone or computer app stores, consumers have direct insight into what is collected.

This is a good starting point, and does demonstrate that the legislators are working in good faith to try to protect Americans’ privacy.

But while those are important, these should also be balanced with consumer access to innovative goods and services, which are cornerstone to our ability to choose the technology we want.

What’s not to like:

While a strong national privacy law is vital, we should also make certain that it is balanced, appropriate, and fair. Consumer protection is an overarching concern, but so should responsible stewardship of data if consumers want it, as well as the ability to access innovation to improve our lives.

These aspects of the bill are more troublesome, as they would likely invite more problems than they would solve.

An outright veto on targeted advertising is unworkable and would ultimately work against consumers. It would also basically cut off an important revenue source for most online services that consumers appreciate and use everyday.
- This algorithmic style of reaching out to willing users implements geo-targeting and personalization, which are key to the consumer experience, and are a willing trade-off for consumers who want to use free or otherwise heavily discounted services.
- They are also a prime concern for small businesses who rely on targeted ads to reach their customers, whether that be through ads online
- At the same time, the prohibition on large social media companies offering paid subscription plans to those who don’t want to participate in targeted advertising seems counterintuitive and goes against the spirit of what is trying to be achieved here.
- A privacy bill is supposed to be about giving consumers ultimate autonomy and decision rights, not outlawing a particular business model.

Inventing a right of “opt-out” would necessarily create several tiers of consumers, and would complicate virtually any business’ attempt to collect necessary information on their consumers. It would be a de-facto ban on targeted advertising, as social media services specifically would also be unable to offer “paid” versions to their users, and small businesses would not be able to use social networks to advertise to consumers who they believe would like to buy their goods or use their services.

Data minimization is a good principle, but it’s an unworkable legal standard because it would vary so widely depending on any app, nonprofit, or company.
- Data needs change depending on how firms and organizations evolve, and whatever standard this law would enforce would likely make it more difficult for companies to scale and offer better and more affordable services to consumers in the future.

One of the more offensive parts of the bill would be the private right of action, which would be more encompassing than any privacy bill in the world. It would also not allow suits to be settled in arbitration, meaning every lawsuit – no matter its merits – will have to be reviewed by a judge.
- Private right of action would empower plaintiff attorneys and deter innovation on the part of firms, vastly bloating our justice system.
- This wouldn’t be positive for consumers, as it would likely raise the cost of goods and services, and would generally add to the overall litigious nature of the US judicial system.
- At the Consumer Choice Center, we’ve long campaigned on rolling back the excesses of our tort law system and introducing simple legal reforms to better serve those who are legitimately harmed by companies.

🚨The bill exempts government agencies at every level from any privacy obligations. This is a glaring red flag, especially considering the amount of sensitive data that has been routinely leaked, hacked, or made available to the public when it shouldn’t have been. Exempting government agencies from privacy rules is an egregious mistake.
- If a state’s database of say, gun owners, is leaked (as happened in California). No crime, no foul. The same if a local or city government leaks your income information, Social Security number, healthcare data, or any other type of information. This should be immediately addressed in the bill to introduce parity.

Prior restraint for algorithms, which gives the Federal Trade Commission and other agencies veto power on all “computer processes” before they can be used by the public. This means the FTC would need access to all algorithms and AI innovations before launch, which would absolutely have a chilling effect on innovation and restrict entrepreneurial data projects and development of AI models.
- This would be a huge VETO on American free enterprise and the future of tech innovation in our country, and risk exporting our best and brightest abroad.

The FTC would be responsible for the enforcement of these rules, as well as state attorneys generals, but a lot would be litigated in private rights of action (torts, etc.), which would generally favor incumbents who have the resources to comply. So while much of this bill is aimed at trying to reign in “Big Tech,” they paradoxically will likely be the only firms with the significant power to comply.
- In addition, the Department of Justice and the FTC have built a reputation as anti-tech forces in our federal government. Would this newfound power lead to better goods and services for consumers, or more limited options that would bode well with regulatory authorities for ideological purposes. This is a difficult pill to swallow in either case.

Is there another way forward?

Assuming most of the glaring issues with this bill are fixed – the soft ban on targeted advertising, exempting of government agencies, empowerment of bogus lawsuits by private right of action, the inability to bring cases to arbitration, FTC’s powerful veto power over algorithmic innovation – there are elements that are favorable to those who want a good balance of consumer choice and innovation in our economy while protecting our privacy.

While all these are measures that a national privacy bill could address, there is still much more that we as individuals can do ourselves, using tools that entrepreneurs, developers, and firms have provided to us to be both more private and free. We hope legislators will take these concerns seriously, and amend some of these provisions in the draft bill.

The normalization of end-to-end encryption in messaging, data, and software has been a great counterbalance to the endless series of leaks, hacks, and unnecessary disclosures of private data that have caused objective harm to citizens and customers. We hope this is encouraged and becomes default for digital services, as well as remains protected for use by both firms and consumers.

For another view, the International Center on Law and Economics has an interesting paper on the idea of “choice of law” as the better approach for privacy rights, opening up selection of a particular privacy regime to market choice rather than top-down legislation, similar to private commercial courts in the United Arab Emirates. This would allow states to compete for business by offering the most balanced privacy law, which could spurn a lot of innovative thinking about better ways to approach this.

That said, this is technically how it has been de facto practiced in the country today, and California has won by default owing to its large population. I’m not sure we would be able to trust too many other states to craft balanced but effective privacy laws that wouldn’t create more trouble than it would solve. But I would be happy to be proven wrong.

While this privacy bill is ambitious, and covers a lot of ground that is vital for privacy concerns, there are still many elements that would require sweeping changes before it should be palatable for consumers who desire choice, prefer innovation, and what to ensure that our society remains both free and prosperous.

Cookie	Duration	Description
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time.
JSESSIONID	past	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
__sharethis_cookie_test__	session	This cookie is set by ShareThis, to test whether the browser accepts cookies.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.

Cookie	Duration	Description
__gads	1 year 24 days	This cookie is set by Google and stored under the name dounleclick.com. This cookie is used to track how many times users see a particular advert which helps in measuring the success of the campaign and calculate the revenue generated by the campaign. These cookies can only be read from the domain that it is set on so it will not track any data while browsing through another sites.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_gtag_UA_111177680_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
CONSENT	16 years 4 months 8 days 16 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
_tt_enable_cookie	1 year 24 days	Tiktok set this cookie to collect data about behaviour and activities on the website and to measure the effectiveness of the advertising.
_ttp	1 year 24 days	TikTok set this cookie to track and improve the performance of advertising campaigns, as well as to personalise the user experience.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	2 years	This cookie is set by twitter.com. It is used integrate the sharing features of this social media. It also stores information about how the user uses the website for tracking and targeting.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.
yt.innertube::nextId	never	These cookies are set via embedded youtube-videos.
yt.innertube::requests	never	These cookies are set via embedded youtube-videos.

Cookie	Duration	Description
__gpi	1 year 24 days	No description
_gtm_session_start	1 hour	Description is currently not available.
_mailmunch_visitor_id	never	This cookie is set by MailMunch which is email collection and email marketing platform. We do not know the exact purpose of the cookie.
AnalyticsSyncHistory	1 month	No description
asp_transient_id	7 days	No description available.
GoogleAdServingTest	session	No description
li_gc	2 years	No description
mailmunch_second_pageview	never	This cookie is set by MailMunch which is email collection and email marketing platform. We do not know the exact purpose of the cookie.
raygun4js-userid	never	Description unavailable.
st_samesite	session	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

A new federal privacy bill overdoses on empowering agencies over helping consumers

What’s to like:

What’s not to like:

Is there another way forward?

Fun Police

ConsEUmer Podcast

Consumer Choice Center Cast

Recent Posts

Follow us

Contact Info