On April 24, 2018, Senators Amy Klobuchar (D-MN) and John Kennedy (R-LA) introduced the Social Media Privacy and Consumer Rights Act of 2018. The bill aims to protect consumers’ online data by increasing the transparency of data collection and tracking practices, and requiring companies to notify consumers of a privacy violation within 72 hours.
“Our bill gives consumers more control over their private data, requires user agreements to be written in plain English and requires companies to notify users of privacy violations,” Senator Kennedy explained. “These are just simple steps that online platforms should have implemented in the first place.”
Other features of the legislation include providing consumers a right of access to see what information about them has been collected and used, allowing consumers to opt out of data collection and tracking, and requiring online platforms to have a privacy program in place. Senator Klobuchar explained that “[c]onsumers should have the right to control their personal data and that means allowing them to opt out of having their data collected and tracked and alerting them within 72 hours when a privacy violation occurs and their personal information may be compromised.”
The bill authorizes enforcement by the Federal Trade Commission (“FTC”), as well as civil enforcement by state attorneys general. While Section 5 the FTC Act exempts common carriers from the FTC’s jurisdiction, the bill explicitly authorizes FTC enforcement with respect to common carriers.
Senators Klobuchar and Kennedy originally announced their intent to introduce bipartisan privacy legislation on April 12, explaining that their legislation “would protect the privacy of consumers’ online data by improving transparency, strengthening consumers’ recourse options when a breach of data occurs, and ensuring companies are compliant with privacy policies that protect consumers.”
Just two days prior to Senators Klobuchar and Kennedy’s announcement, Senate Democrats Richard Blumenthal (D-CT) and Ed Markey (D-MA) introduced the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act, which would authorize the FTC to promulgate regulations that enhance consumer control over how data is collected and used. Here’s how the two bills stack up against each other:
- Opt-In v. Opt-Out Consent: The centerpiece of the CONSENT Act is its requirement that edge providers obtain consent from customers for the use of their “sensitive information” by requiring consumers to opt-in to data collection and tracking. The CONSENT act provides further protection for consumers by prohibiting edge providers from refusing to serve users who do not consent to the use and sharing of their information. In contrast, the Social Media Privacy and Consumer Rights Act would give consumers the right to opt-out of data collection and tracking, and allows providers to deny certain services or complete access if a user’s privacy selections “creates inoperability in the online platform.”
- Breach Notification: Both bills would impose data breach notification requirements, with the CONSENT Act directing the FTC to promulgate regulations requiring edge providers to notify consumers if a data breach occurs and “harm is reasonably likely to occur,” and the Social Media Privacy and Consumer Rights Act requiring notification within 72 hours after the provider becomes aware that the user’s personal data “has been transmitted in violation of the privacy or security program” or the user’s privacy preferences. This notice must also include an offer to the user to prohibit the provider from collecting and using the user’s personal data, to erase and cease further dissemination of all personal data of the user tracked by the provider, to provide a copy of the personal data that the provider has processed, and the option to close the user’s account with the online platform.
- Disclosures on Data Collection and Usage: Both bills would require providers to disclose to consumers how their data is collected and used. While the CONSENT Act focuses on “sensitive customer proprietary information,” including web browsing and application usage history, the Social Media Privacy and Consumer Rights Act extends disclosure requirements to “individually identifiable information.” The Social Media Privacy and Consumer Rights Act further requires that operators must provide users with terms of service that include how personal data is collected, and the terms of service must be “easily accessible,” “of reasonable length,” “clearly distinguishable from other matters,” and use “language that is clear, concise, and well-organized.”
Both bills are currently pending before the Senate Committee on Commerce, Science, and Transportation.