In a major step forward for the privacy debate and prospects for bipartisan legislation, Senate Commerce Committee Chairman Roger Wicker (R-Miss.) and Ranking Member Maria Cantwell (D-Wash.) each released draft federal privacy bills last week and held a hearing to examine these proposals.
There’s a great deal of consensus between them, and one point we were particularly pleased to see agreement on: A recognition that any effort to create a federal bill should include prohibitions on specific data practices that could be abusive or harmful to consumers.
Privacy for America’s policy framework, released last week, is built around this idea. Rather than relying solely on consumers to digest confusing privacy policies, our framework would prohibit outright a range of practices that make personal data vulnerable to misuse. These include:
- Eligibility Determinations. The framework would prevent companies from circumventing existing sectoral laws (such as the Fair Credit Reporting Act) by banning the use or knowing supply of data to make eligibility decisions—about jobs, credit, insurance, healthcare, education, financial aid, or housing—outside these laws, thereby bolstering and expanding the protections already in place.
- Discrimination. The framework would supplement existing anti-discrimination laws by banning the use or knowing supply of data to charge higher prices for goods or services based on race, color, religion, national origin, sexual orientation, or gender identity. The framework also would allow individuals to opt out of the development of detailed inferences and predictions about them, which can contribute to discrimination.
- Fraud and Deception. The FTC and the states have pursued cases for decades against companies that engage in fraud and deception. This new framework would focus specifically on the use and supply of data for these purposes, banning a range of fraudulent practices designed to induce the disclosure of personal information and, more generally, material misrepresentations about data privacy and security.
- Stalking. In recent years, the proliferation of data has made it easier to track the location and activities of individuals for use in stalking. The framework would outlaw the use of personal information for stalking or other forms of substantial harassment and would hold apps that supply data for these purposes accountable.
- Use of Sensitive Data Without Express Consent. Importantly, the new framework would prohibit companies from obtaining a range of sensitive information that consumers care the most about—including health, financial, biometric, and geolocation information, as well as call records, private emails, and device recording and photos—without obtaining their express consent.
- Sharing Data Without Accountability. To help ensure that companies don’t circumvent these prohibitions, firms that disclose personal data to vendors would be required to enter into contracts to make sure that data they share is used lawfully and in line with how consumers were told the information would be used. In addition, these third parties would be required to implement procedures to ensure those contractual promises are upheld.
- Special Protections for Individuals Over 12 and Under 16 (Tweens). The framework includes a robust set of safeguards for data collected from tweens, including prohibiting companies from transferring tween data to third parties when they have actual knowledge of age. It also would ban payment to tweens for personal data, except under a contract to which a parent or legal guardian is a party. Finally, companies would be required to implement data eraser requirements allowing individuals to delete data posted online when they were tweens.
There are safe and responsible ways that companies can use data to the benefit of both consumers and the entire U.S. economy, which our framework seeks to protect. But by explicitly prohibiting harmful uses of data, we can ensure that the burden is shifted away from consumers and toward a common set of data privacy and security norms that hold companies accountable for data misuse. We urge Congress to consider these prohibitions in any final legislation to ensure that consumers’ personal data is protected.