To add to the growing list of federal privacy frameworks introduced this year, Senator Amy Klobuchar (D-MN) has re-introduced the bipartisan Social Media Privacy Protection and Consumer Rights Act of 2021 (S. 1667).  Senator Klobuchar introduced the bill originally in 2018 and 2019, although it did not advance to committee in either instance.  Senators Kennedy (R-LA), Burr (R-NC), and Manchin (D-WV) have co-sponsored the bill.

Key provisions in this bill include:

  • Covered Entities and Data: The bill applies to websites and mobile applications, including social networks, that collect personal data while consumers use their online platforms.  The definition of personal data expressly encompasses data governed by the Health Insurance Portability and Accountability Act (“HIPAA”) and the Gramm-Leach-Bliley Act (“GLBA”).
  • Required Privacy Choices: Online platforms must provide users with the option to specify their privacy preferences, which may be done by agreeing to the terms of use for the online platform.
  • Consent for New Products and Changes to the Program: Platforms may not introduce new products or change the data privacy or security program in a way that overrides the privacy preferences of users unless they inform users of the change and obtain their “affirmative express consent,” a term which is not defined by the proposal.
  • Access Rights: If requested by the user, platforms must offer free of charge a copy of the personal data that they processed in an electronic and easily accessible format, including a list of each person that received the user’s data.
  • Breach Notification: The bill mandates that online platforms notify users within 72 hours that their personal data has been transmitted in violation of the online platform’s privacy or security program, including transmissions in violation of the user’s privacy preferences.  Online platforms must also offer users the option to prohibit the operator from collecting and using their information further and delete their personal data.
  • Accountability: The proposal also requires that covered entities have privacy programs in place, and audit the program at least every two years.
  • Enforcement: The bill empowers the Federal Trade Commission (“FTC”) to enforce its provisions.  It also grants state attorneys general and other state consumer protection officers enforcement authority should the FTC decide not bring a civil action of its own.

Unlike some of the other proposals this year, including the Information Transparency and Personal Data Control Act, this bill does not preempt state privacy laws.  Also, it does not provide consumers a private right of action.

The text of the bill will be available here.  We will continue to monitor legislative developments on this front.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.

Photo of Andrew Longhi Andrew Longhi

Andrew Longhi is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Technology and Communications Regulation Practice Groups.

Andrew advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, commercial…

Andrew Longhi is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Technology and Communications Regulation Practice Groups.

Andrew advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, commercial transactions involving personal information and cybersecurity risk, and responses to regulatory inquiries.

Andrew is Admitted to the Bar under DC App. R. 46-A (Emergency Examination Waiver); Practice Supervised by DC Bar members.