In a significant move toward bolstering data privacy in the United States, key lawmakers announced a bipartisan agreement on draft legislation that would impose stringent restrictions on the collection and use of consumer data by technology companies. Democratic Senator Maria Cantwell, Chair of the Commerce Committee, and Representative Cathy McMorris Rodgers, Republican Chair of the House Energy and Commerce Committee, have joined forces to introduce a bill that aims to give Americans unprecedented control over their personal information.
The proposed legislation would enable individuals to prevent the sale of their personal data or demand its deletion. It also mandates disclosure if data is transferred to foreign adversaries. "This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information," the lawmakers stated.
The Federal Trade Commission (FTC) and state attorneys general would be granted broad authority to oversee consumer privacy issues, with robust enforcement mechanisms in place to hold violators accountable. Notably, the bill introduces a private right of action, allowing individuals to sue companies that infringe on their privacy rights and seek compensation for damages.
While the legislation does not outright ban targeted advertising, it offers consumers the option to opt out. It also proposes the creation of a new FTC bureau focused on privacy, with the authority to issue fines for violations. This move comes in the wake of several high-profile settlements, including Facebook's $5 billion fine in 2019 for privacy violations and Google and YouTube's $170 million settlement for collecting personal information about children.
Patrick Harding, Chief Architect at Ping Identity, commented on the development, stating, "The news that U.S. lawmakers have struck a deal on data privacy legislation is a major step forward in protecting people’s most valuable information." He emphasized the need for further measures, such as decentralized identity and passwordless authentication, to stay ahead of evolving cyber threats and meet users' demands for digital security.
The legislation also addresses the transfer of sensitive data, requiring "affirmative express consent" before such data can be shared with third parties. It aims to prevent discrimination based on personal information and mandates annual reviews of algorithms to protect individuals, particularly youth, from harm.