Two Democratic US senators today proposed a “privacy bill of rights” that would prevent Facebook and other websites from sharing or selling sensitive information without a customer’s opt-in consent.
The proposed law would protect customers’ Web browsing and application usage history, private messages, and any sensitive personal data such as financial and health information.
“The avalanche of privacy violations by Facebook and other online companies has reached a critical threshold, and we need legislation that makes consent the law of the land,” Sen. Ed Markey (D-Mass.) said in an announcement.
Facebook CEO Mark Zuckerberg is testifying today in a Senate hearing. Facebook recently acknowledged that the private data of up to 87 million Facebook users was improperly shared with Cambridge Analytica, a firm that did consulting work for Donald Trump’s presidential campaign.
While Zuckerberg has promised to do a better job protecting Facebook users’ privacy, Markey said that “voluntary standards are not enough; we need rules on the books that all online companies abide by that protect Americans and ensure accountability.”
Markey teamed with Sen. Richard Blumenthal (D-Conn.) to propose the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act. You can read the full legislation here.
“Edge providers” refers to websites and other online services that distribute content over consumer broadband networks. Facebook and Google are the dominant edge providers when it comes to advertising and the use of customer data to serve targeted ads. No current law requires edge providers to seek customers’ permission before using their browsing histories to serve personalized ads.
The online advertising industry uses self-regulatory mechanisms in which websites let visitors opt out of personalized advertising based on browsing history, and websites can be punished by the Federal Trade Commission (FTC) if they break their privacy promises.
The Markey/Blumenthal bill’s stricter opt-in standard would require edge providers to “obtain opt-in consent from a customer to use, share, or sell the sensitive customer proprietary information of the customer.” Edge providers would not be allowed to impose “take-it-or-leave-it” offers that require customers to consent in order to use the service. The FTC and state attorneys general would be empowered to enforce the new opt-in requirements.
Personal data protected by the proposed opt-in standard would include financial information, health information, information pertaining to children, Social Security numbers, precise geolocation information, the content of communications, call-detail information, Web-browsing history, application-usage history, and “any other personally identifiable information that the Commission determines to be sensitive.”
“Our privacy bill of rights is built on a simple philosophy that will return autonomy to consumers: affirmative informed consent,” Blumenthal said. “Consumers deserve the opportunity to opt in to services that might mine and sell their data—not to find out their personal information has been exploited years later.”
The bill would require edge providers to notify users about all collection, use, and sharing of their information. The bill also requires edge providers “to develop reasonable data security practices” and to notify customers about data breaches that affect them.
GOP blocked privacy rules for ISPs
The Federal Communications Commission voted in 2016 to impose a similar opt-in privacy regime on Internet service providers such as Comcast, AT&T, Verizon, and Charter. The rules for ISPs never took effect, however, because the Republican-controlled Congress and President Trump overturned them before they could be implemented.
ISPs bitterly opposed the opt-in requirements, saying they shouldn’t face stricter rules than Facebook and Google. Like edge providers, ISPs follow voluntary guidelines in which they let customers opt out of the use of browsing histories for “personalized third-party marketing.”
If the Markey/Blumenthal bill passes, it’s possible that Facebook and Google could face stricter privacy requirements than Internet service providers. Alternatively, Congress could impose an opt-in standard that covers both websites and Internet service providers. Rep. Marsha Blackburn (R-Tenn.) proposed an opt-in requirement for both websites and ISPs last year, and Charter CEO Tom Rutledge said this week that Charter supports opt-in requirements as long as they apply to both websites and ISPs.
Although Charter opposed the FCC’s opt-in rules for ISPs, Rutledge now says that “Internet users should have ‘opt-in’ protections, meaning all entities must receive opt-in consent to collect and share their data for purposes other than the actual service they engaged in.”
Still, any attempt to impose an opt-in law will likely face opposition from Internet and advertising companies. A lobby group for Facebook, Google, and other online companies objected to Blackburn’s proposal last year, saying that websites already face “strict FTC privacy enforcement.”
Republican and Democratic lawmakers were split nearly down the middle on the repeal of privacy rules for ISPs, with Democrats supporting the rules and Republicans supporting the repeal. The partisan split on privacy regulation could doom the Markey/Blumenthal proposal.