Senate Republicans introduced long-awaited privacy legislation that would require businesses to be more transparent in consumer data collection and allow courts to grant injunctive relief in cases of privacy violations.
Commerce, Science, and Transportation Chairman Roger Wicker (R-Miss.) released the consumer privacy bill, which expands on a draft version his staff first circulated last November. Sens. John Thune (R-S.D.), Marsha Blackburn (R-Tenn.), and Deb Fischer (R-Neb.) cosponsored the legislation.
The bill includes tenets of the draft bill, such as the establishment of individual consumer data rights and a requirement that businesses allow consumers to access, correct, delete, or port their data. The measure also seeks to prohibit businesses from processing or transferring consumers’ data without consent.
The bill would create a victims relief fund within the Treasury Department to provide consumers with monetary relief for privacy violations.
Any privacy bill faces long odds of passage this year, however. The few weeks of business ahead of November’s elections, and in the lame-duck session to follow, mean any bill will compete with must-pass legislation to fund the government and the next round of aid to stimulate the economy during the Covid-19 pandemic.
Republicans and Democrats on the Senate Commerce, Science and Transportation Committee remain far apart on two central issues: whether to give consumers the right to sue over privacy violations, and whether to preempt existing state laws such as one in California that went into effect in January.
The bill from Wicker would not allow for consumer lawsuits, and seeks to preempt state privacy laws except in the the case of data breaches.
The Republican bill will likely be discussed along with a measure (S. 2968) from panel ranking member Maria Cantwell (D-Wash.) during a Sept. 23 committee hearing on the topic that will feature former Federal Trade Commission members.
Set to appear at that hearing is former FTC commissioner Julie Brill, who now serves as Microsoft Corp.‘s chief privacy officer.
A new provision in the Republican bill would allow courts to order injunctive relief to force companies to abide by privacy rules. Courts also could allow for monetary refunds, or changing or voiding contracts. Wicker said last year that he was open to narrow injunctive relief, which is a court order directing a defendant to stop a specified act or behavior.
The bill was updated to include language from legislation (S. 2763) that would require businesses to provide notification if they use secret algorithms to tailor results for users. The mandate would apply only to companies that have 1 million or more users and earn $50 million or more in annual revenue. That measure was originally introduced by Sens. Jerry Moran (R-Kan.), Richard Blumenthal (D-Conn.), Thune, and Blackburn.
The measure also incorporates provisions from legislation (S. 1084) sponsored by Fischer and Sen. Mark Warner (D-Va.) that would ban “manipulative” design features that allow large websites to prompt consumers to allow collection of personal data. The features, sometimes called “dark patterns,” could include pre-checked boxes or pop-ups that solicit consent for data collection.
Though passage is a long shot this year, the introduction of the bill and next week’s hearing set the stage for a privacy push in 2021, according to the vice president of legislative strategy at BSA | The Software Alliance. The group’s members include Microsoft, International Business Machines Corp. and other software firms.
“Obviously they’re not going to pass a bill into law, but they’ve made some important progress this Congress and this year,” Craig Albright said in an interview. “This will help collect the gains that they’ve made.”
With assistance from Ben Brody (Bloomberg News)
To contact the reporter on this story: Rebecca Kern in Washington at firstname.lastname@example.org