American Privacy Rights bill introduced to US Congress: a GDPR it isn’t

Sponsor ad - 728w x 90h (at 72 dpi)

By Steven Hawley

Piracy of media content occurs when a criminal actor gains access to protected works without permission.  Often, this begins when the actor buys consumer or business databases from data brokers and uses them as keys to the break-in.  In turn, these databases may have been stolen from insufficiently protected commercial or institutional IT platforms.

Sponsor ad

Of course also, such data repositories are developed through legitimate channels, such as through social media and Web platform APIs, and then aggregated and sold.  Many consumers aren’t aware that this occurs.  Others are aware but don’t understand the potential consequences.  Others are, but don’t care.

There’s a booming market in data that help marketers reach very specialized audiences, such as individuals with specific health ailments – or for political interests to reach individuals who have a certain profile.

Against that backdrop, a new bill was introduced in the US Congress, co-sponsored by Senator Maria Cantwell (D-WA) and US Representative Cathy McMorris Rodgers (R-WA): the American Privacy Rights Act (A.P.R.A.).  The text of the the working draft that was available at the time of this article is linked below.

Piracy Monitor’s reaction: It’s a good start but it needs further attention:

1) The A.P.R.A. calls to invalidate and replace state-level privacy regulation, such as California’s.  On the contrary, the A.P.R.A. itself should carry forward the minimum protections from California’s, if not from the EU’s General Data Protection Regulation (GDPR).

2) Consumer options: The default setting for individuals should be “opted out” not “opted in,” which is the long-held standard for American marketers.  In our opinion, this is completely backward.  Instead of notifying individuals that their data is being collected and can opt out, they should be notified of the nature of any data being collected and given the opportunity to opt in, which is the position taken in Europe.  The draft A.P.R.A. recognizes that marketers must clearly present ways to opt out entirely or if there are multiple opt-out options, then partially as well.

3) Fines are woefully insufficient as defined in the draft A.P.R.A. Limiting data broker penalties (fines) to a maximum of $10,000 per offense as per 15 USC 45 (l) and (m) is not a deterrent to a violator whose annual revenues could be in the billions of dollars. GDPR fines up to 4% of annual revenue. Why not here?

4) There should be no exemptions to compliance or reporting requirements, other than to exempt very small organizations or individuals.

5) Section 14 – The period allowed to develop Guidance should be less the two years defined in the draft, and be modeled after GDPR – which can provide plenty of guidance and has been vetted and approved by a body made up of 27 countries.

6) There should be a process to limit the ability for repeat violators to do business unless they prove that they meet compliance standards. Something analogous to site-blocking against pirate web sites that violate copyright.

7) The draft of the Act and the pilot program that it defines in Section 16 should be informed by cybersecurity best-practices as defined by CISA, to reduce/minimize the threat of breaches that could put protected consumer databases at risk of being exploited by criminal enterprises.

8) Is enforcement by the US Federal Trade Commission sufficient? Since communications carriers (ISPs) participate in the transport of confidential information and maintain their own user databases – which are subject to breaches and exploitation – the FCC should also be placed in a position to enforce this Act.  In some countries, the communications regulator is the enforcement body.

Sen. Cantwell is Chair of the Senate Committee on Commerce, Science and Transportation.  McMorris Rodgers is Chair of the House Committee on Energy and Commerce.

Further reading

Committee Chairs Cantwell, McMorris Rodgers unveil historic draft comprehensive data protection legislation. Press release. April 9, 2024. Web site of US Senator Maria Cantwell. United States Senate

Draft of the bill before the U.S. Senate and U.S. House of Representatives (not numbered at the time of this article).  118th Congress, 2nd Session

Lawmakers unveil sprawling plan to expand online privacy protections.  Article. By Cristiano Lima-Strong.  April 7, 2024. The Washington Post

Why it matters

The bill as presented here is insufficient to protect consumer interests from indiscriminate data harvesting whose end results can fall into criminal hands and exploited.  Consumers who don’t realize that their data is put up for sale could have no legal recourse.

Also, the bill is not specific about leveraging copyright law and cybersecurity best-practices to further consumer protection.  Finally, penalties are too low.

Print Friendly, PDF & Email
From our Sponsors