This month, Sen. Maria Cantwell (D-Wash.) and Rep. Cathy McMorris Rodgers (R-Wash.) unveiled a rare government feat: a bipartisan bill that has lawmakers feeling “optimistic” and “fired up.”
It’s the American Privacy Rights Act (APRA), and it’s long overdue. The U.S. lags far behind the rest of the world on privacy legislation; 137 of the world’s 194 countries have national privacy laws, according to the United Nations. We’re the G-20 outlier without one. This isn’t the kind of “exceptionalism” Americans should strive for.
The proposal, which aims to “make privacy a consumer right” and “give consumers the ability to enforce that right,” comes at a pivotal moment. On April 20, President Biden signed a bill to reauthorize the Foreign Intelligence Surveillance Act. While this law is a tool for safeguarding national security against foreign targets, it also allows collection of the web and cellphone data of hundreds of thousands of Americans and has a history of abuse by intelligence agencies. Meanwhile, the new law forcing a sale or ban of TikTok, meant to prevent foreign access to Americans’ data, provides only narrow protections.
Congress is under enormous pressure to deal with the rise of AI, combat surveillance capitalism and reduce the serious harms tech companies inflict upon kids and teens. There have been other federal privacy proposals, but they have failed in our gridlocked Congress. Led by the chairs of the House and Senate Commerce committees, APRA is the first to gain significant bipartisan and bicameral support.
The immediate need for this legislation is clear. Tech companies aren’t the only culprits guilty of misusing our data. In March, General Motors was caught in a scandal when it was found sharing data on its customers’ driving behavior with insurance companies via data brokers — those often massive, multibillion-dollar companies that exist to buy, sell and resell our data.
This speaks to part of APRA’s appeal: It’s remarkably broad. It would encompass the private sector, not-for-profits and common carriers, including tech and other companies and medium or large organizations that handle our data. And it proposes extra restrictions on data brokers.
To minimize data sharing, the legislation would prevent companies and organizations from collecting data that is not “necessary” or “proportionate” to the purpose for which the data is collected. In a victory for transparency, entities would be required to disclose the data they have on you and explicitly allow you to edit or delete it. In addition, it would require companies to allow consumers to opt out of targeted advertising and data collection by brokers. And finally, this legislation would allow you to sue companies and seek financial damages for violations of your privacy rights.
The bill faces some significant criticisms, including from leading privacy advocates and organizations. A post from the Electronic Frontier Foundation took issue with the bill “preempting existing state laws and preventing states from creating stronger protections in the future,” warning that this condition “would freeze consumer data privacy protections in place.” Caitriona Fitzgerald, deputy director at the Electronic Privacy Information Center, cautioned that any preemptive legislation should be stronger than existing state laws — which APRA currently is not, she suggested.
The Electronic Frontier Foundation post argued that, for example, the bill should “limit sharing with the government and expand the definition of sensitive data.” And the ranking member of the House Energy and Commerce Committee, Rep. Frank Pallone Jr. (D-N.J.), said the bill “could be stronger in certain areas, such as children’s privacy.”
These criticisms are valid but not enough so to derail the proposal. Consider that California has among the strongest state privacy laws, yet tech giants such as Meta and Google, which make their homes here, are still accused of some of the most egregious privacy violations. A powerful and universal federal law is required to rein them in. It would also be more effective than the status quo of a byzantine patchwork of state laws.
And APRA can be strengthened over time. That happened with the Children’s Online Privacy Protection Act, passed in 1998 to protect children under age 13. In 2013, the law was broadened and updated by the Federal Trade Commission to reflect evolving technology such as mobile devices. It also expanded the definition of “personal information” to include geolocation data, photos, videos, audio of children and more. Once passed, APRA could similarly serve as a foundation for future improvements.
Eventually it could be strengthened with an important guardrail like one built into the U.K.’s Online Safety Act. Depending on the severity of the violation, it imposes jail time for executives and fines of up to $22 million or 10% of a company’s gross revenue, whichever is greater. These harsh penalties can help prevent the trend of tech giants routinely flouting privacy laws by simply paying fines as costs of doing business.
The bill‘s review by committees in both chambers of Congress may bolster it further. Our government should not waste this watershed moment to establish a bedrock of privacy rights for all Americans.
Mark Weinstein is a tech entrepreneur, privacy expert and the author of the forthcoming book “Restoring Our Sanity Online.”