Amid a wave of data breaches in recent years, the U.S. Senate is again mulling legislation that would require online service providers to safeguard users’ personal information.
Earlier this month, a group of 16 Democratic senators – including U.S. Sen. Amy Klobuchar (D-Minn.) – reintroduced the Data Care Act. A version proposed in December 2018 failed to gain traction after its introduction in the Senate.
Republicans have proposed their own bills this year, but a definitive bipartisan bill has yet to emerge.
Under the Data Care Act, online service providers would need to protect users’ data by securing individual identifying data. Also, online providers would be barred from using individual identifying data to benefit themselves or harm users.
“Individual identifying data” refers to any data collected through a digital network and linked to a user or a device associated with the user.
Providers would also need to inform users of data breaches involving sensitive data, such as social security numbers, biometric data, names, precise geolocation, and health information.
The proposed requirements would also apply to third parties when providers disclose, sell, or share individual identifying data with them. Providers would need to audit the third parties’ data security and information practices on a regular basis.
Under the proposed legislation, the Federal Trade Commission (FTC) would have rulemaking authority to implement the law. For instance, the FTC could impose fines on first- and third-party providers.
“Our laws must keep up with advances in technology,” Klobuchar said in a press release. “The Data Care Act will ensure that companies secure consumers’ sensitive data and give the Federal Trade Commission (FTC) the tools to hold companies accountable when they fall short.”
Klobuchar’s staff have compared the proposed requirements to the current legal requirements placed on doctors, lawyers, and bankers to protect client information.
This year, Klobuchar helped introduce three other bills to protect consumers’ online data and private health data, but those bills haven’t advanced far beyond their introduction.
The Hill reports that both Democrats and Republicans agree on allowing users to view, change, and delete their own data. Senators also agree on a requirement for companies to clearly communicate their privacy policies. But the two parties split on how much power to give the FTC, whether individuals can sue companies for privacy violations, and whether federal law should override state privacy laws.
Democrats support allowing users to sue providers, but Republicans oppose that on grounds that a litany of lawsuits could stifle innovation.
Republicans want the federal privacy law to override state privacy laws, preventing a “patchwork of state laws.” Democrats favor allowing states to have their own privacy laws. In January 2020, the California Consumer Privacy Act (CCPA) will take effect in that state, giving consumers more control over their online data.