Sen. Marco Rubio (R., Fla.) has introduced a bill aimed at creating data privacy obligations for companies that collect and use consumers’ personal data that would be “substantially similar” to the requirements imposed on federal government agencies by the Privacy Act of 1974, with a deadline for congressional action, absent which Federal Trade Commission proposals would take effect.
The American Data Dissemination (ADD) Act would direct the FCC within 180 days to make recommendations for privacy requirements to impose on covered providers similar to those in the Privacy Act.
Within 18 months of enactment, the FTC would be required to submit proposed regulations to Congress that would impose privacy obligations on covered providers substantially similar to the Privacy Act requirements for agencies.
“To ensure Congress acts in a timely manner, if the Congress fails to enact a law based on the recommendations provided by the date that is two years after enactment of this bill, the FTC would promulgate a final rule, not later than 27 months after the date of enactment to impose privacy requirements based on the narrow, congressionally mandated course of action created through this bill,” according to a fact sheet on the ADD.
“Importantly, this bill takes important precautions to ensure that it does not entrench large, incumbent actors in this space. The FTC is required to establish criteria for exempting certain small, newly formed covered providers from the requirements under the regulations, which take into account certain factors including the period of time the provider has been operating, the annual revenue of the provider and the number of individuals about whom the covered provider collects records. It also provides consumers with rights to access and correct records maintained by a covered provider that are not accurate, relevant, timely or complete as defined by the FTC, and a process for deletion of a record,” the fact sheet adds.
Entities already subject to sector-specific privacy requirements would not be covered by the new rules.
The bill would preempt state laws covering the same data.
Public Knowledge criticized the bill as “a step backwards,” adding that “any protections it might inadvertently create would take years to go into effect.”
In a statement, Public Knowledge Director–global policy Gus Rossi said, “Sen. Rubio’s severely limited bill is better suited to Americans living in 1974 than today. In the post-Equifax era, Americans face a constant stream of data breaches and scandals that clearly demonstrate a need for real protections, not mere lip service. This bill does not adequately protect Americans’ data or give consumers the control they want and need to protect themselves online. We cannot support this bill.”
Mr. Rossi added, “The 1974 Privacy Act is fundamentally a transparency and data accuracy law, designed well before the popularization of the internet and cloud computing. Adapting the 1974 Privacy Act to the private sector would do nothing for Americans fighting to control their personal information in the modern world. In 2019, Sen. Rubio’s proposal is ‘too little, 45 years too late,’ and at a disproportionately high cost: preempting meaningful state innovation in privacy protection.
“Additionally, in a best-case scenario, it would be years before this bill resulted in any remotely meaningful protection, leaving consumers vulnerable. And finally, it’s absurd that the bill would preempt state law and constrain the jurisdiction of specialized agencies like the FCC in exchange for very limited protections for consumers. Congress should legislate to solve today’s problems — not cut the privacy debate short with a bill that represents an antiquated approach to consumer privacy,” Mr. Rossi said. —Lynn Stanton, [email protected]
Interested in submitting an article?
Submit your information to us today!Learn More