Pressure is gathering for a federal privacy law in the US with the introduction of a second bill that would protect consumer data. The Consumer Online Privacy Rights Act from Washington Senator Maria Cantwell not only outlines strict privacy and security rules, but also establishes a dedicated FTC office to enforce them. Cantwell also pointed out in her Bill announcement that it defines privacy as a right in federal law.
The proposed law would prevent companies from mishandling data to cause individuals harm. They’d also have to hand over a copy of the data to the individual owning it at their request and name any third party that they’d given it to. They’d also have to delete it when asked.
Companies would need to publish clear privacy policies, and they’d need to get a person’s consent before weakening their privacy measures. The consent measures are pretty close to those under the California Consumer Protection Act (CCPA) that comes into effect on 1 January 2020, in that they require companies to get permission to process someone’s data and allow individuals to opt-out of having their data transferred to others.
The legislation defines data broadly, including the usual suspects like email, financial account numbers, government-issued identifiers like social security numbers, and information about race, religion, union membership, and sexuality. It also covers things like biometric data, geolocation information, communications content or metadata, data about online activities over time and across third-party websites or online services, and even calendar appointments. The law singles out intimate photos and videos of people, too, in a clear attempt to prevent online creeps.
All the above falls under the term ‘sensitive covered data’, while ‘covered data’ seems to cast a wider net, encompassing “information that identifies, or is linked or reasonably linkable to an individual or a consumer device, including derived data”. That’s a broad definition, and like the CCPA’s seems to take in things like IP addresses.
Companies needn’t deliberately violate privacy rules to incur a penalty. The Bill also forces them to put security measures in place to avoid an accidental breach, including vulnerability assessments and training.
One thing in this law that isn’t in the CCPA or GDPR is the establishment of a separate Bureau to focus on information privacy issues. In California, that’s up to the state’s Attorney General, while European countries have their own data protection registrars like the UK Information Commissioner’s Office (ICO). This Bureau would be in the FTC and would pick up oversight traditionally conducted by other consumer protection bureaus.
The text of the bill doesn’t specify the FTC’s penalties but it does allow for an award of up to $1,000 per violation per day in individual civil suits, which could run into billions.
This isn’t the only federal law on the hustings. In October, Oregon Senator Ron Wyden announced the Mind Your Own Business Act (formerly the Consumer Data Protection Act), which would impose fines and jail sentences of up to 20 years on senior executives that flouted strict privacy rules.
The bill has broad if partisan support from senators Ed Markey (D-Mass.), Amy Klobuchar (D-Minn.) and Brian Schatz (D-Hawaii). However, as James Mariani, associate in the data privacy group at Frankfurt Kurnit Klein & Selz PC points out, there’s a world of difference between getting a law through in a state like California compared to getting it through Capitol Hill.
Millionaire Alastair Mactaggart forced through the CCPA after preparing an even stricter ballot initiative that could have put big tech firms on the ropes. Ballot initiatives aren’t a thing on the Hill, let alone most US states, which is one reason why, for example, a state privacy law died in the lower House in Washington.
James Mariani said of passing a Bill that is “as encompassing and as prescriptive as California’s”:
We are so bipartisan that getting anything passed is going to be difficult without cutting it up and making all sorts of concessions.
from Naked Security https://ift.tt/2q0Rmbx
0 comments:
Post a Comment