On Friday, April 12, 2019, Senator Edward J. Markey (D-MA) introduced the Privacy Bill of Rights Act "in the wake of a series of revelations about myriad companies sharing consumers’ personal information without their consent, as well as unauthorized breaches of the data of hundreds of millions of consumers," a statement issued by the senator's office reads. The law would establish rules for both online and offline companies and ban the use of personal information for harmful, discriminatory purposes, such as housing and employment advertisements targeted based on demographics like race and gender. It also provides for cybersecurity standards, would provide the Federal Trade Commission (FTC) with rulemaking authority, and give individuals a private right of action.
The proposed bill currently does not provide for statutory damages, like the California Consumer Privacy Act (CCPA), but plaintiffs in private suits could sue for actual damages, punitive damages, injunctive relief, and punitive damages, plus attorney’s fees and costs. It seems likely that federal legislation will eventually preempt state privacy laws like the CCPA, but probably not before CCPA and perhaps other state statutes go into effect.
“America’s laws have failed to keep pace with the unprecedented use of consumers’ data and the consistent cadence of breaches and privacy invasions that plague our economy and society,” said Senator Markey. “I have long advocated for privacy protections that include the principles of knowledge, notice and the right to say ‘no’ to companies that want our information. But it is increasingly clear that a true 21st century comprehensive privacy bill must do more than simply enshrine notice and consent standards. That’s why my Privacy Bill of Rights Act puts discriminatory data uses out of bounds and tells companies that they can only collect the information that is necessary to provide the product or service requested by the consumer.”
The proposed Privacy Bill of Rights Act would:
• Prohibit companies from using individuals’ personal information in discriminatory ways.
• Require companies to protect and secure the personal information that they hold.
• Establish a centralized FTC website that tells consumers about their privacy rights and require companies to use easy-to-read short-form notices provided directly to consumers.
• Ensure companies collect only the information they need from consumers in order to provide the requested services.
• Enable State Attorneys General to protect the interest of their residents and bring action against companies that violate the privacy rights of individuals.
• Provide individuals a private right of action empowering them to defend their own privacy rights.
Last month, Senator Markey and Senator Josh Hawley (R-MO) introduced legislation to update the Children’s Online Privacy Protection Act (COPPA) by prohibiting internet companies from collecting personal and location information from anyone under 13 without parental consent and from anyone 13- to 15-years old without the user’s consent.
