The need for a federal privacy law has long been clear to most, but making it actually happen has been another matter. However, a compromise could potentially see it introduced by the end of the year.
Apple has been calling for Congress to pass a GDPR-style privacy law since at least 2018, but little progress has been made since then. All that may be about to change, however …
Europe led the way, in 2018
The world’s toughest privacy law is the EU’s General Data Protection Regulation (GDPR), which came into force almost six years ago.
Even Apple – a company famed for its respect for customer privacy – had to strengthen its safeguards in order to meet the extremely high standards set by GDPR.
The four key obligations GDPR places on companies when collecting your personal data are:
- There must be a specific, lawful reason to process the data
- Personal data must be encrypted
- You have a right to a copy of your data
- You can ask for your data to be deleted
Apple has long called for a US federal privacy law
Later the same year, Apple CEO Tim Cook made a speech about why privacy is a key issue for the tech industry, as well as society as a whole. He called for a GDPR-style federal privacy law in the US, echoing each of these four elements.
We at Apple are in full support of a comprehensive federal privacy law in the United States. There, and everywhere, it should be rooted in four essential rights:
First, the right to have personal data minimized. Companies should challenge themselves to de-identify customer data—or not to collect it in the first place. Second, the right to knowledge. Users should always know what data is being collected and what it is being collected for. This is the only way to empower users to decide what collection is legitimate and what isn’t. Anything less is a sham. Third, the right to access. Companies should recognize that data belongs to users, and we should all make it easy for users to get a copy of…correct…and delete their personal data. And fourth, the right to security.
General agreement, but conflicting proposals
By the following year, there was bipartisan support for such a law, but little agreement on exactly what protections it should offer. Since then, lack of agreement on the specifics has prevented meaningful progress.
That has seen a number of US states proceed with their own privacy laws. California’s Consumer Privacy Act is the strongest of these, though even that failed to tackle the first bullet point: requiring companies to have a good reason to collect personal data.
One barrier to a federal law has been conflicting proposals put forward by Sen. Maria Cantwell (D) and Rep. Cathy McMorris Rodgers, with neither side willing to compromise. Cantwell wanted stronger enforcement measures, including granting individuals the legal right to sue companies who violated the law. Rodgers has now agreed to this.
Cantwell and Rogers agree compromise
However, the two have now agreed a compromise bill, known as the American Privacy Rights Act (APRA).
“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information,” said Chair Rodgers and Cantwell.
“This landmark legislation represents the sum of years of good faith efforts in both the House and Senate. It strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress. Americans deserve the right to control their data and we’re hopeful that our colleagues in the House and Senate will join us in getting this legislation signed into law.”
One area where Rodgers appears to have given ground is on the issue missing from California’s law – requiring companies to have a good reason for collecting the data in the first place – as Spokeman reports.
The draft legislation, obtained exclusively by The Spokesman-Review, would limit the data that companies can collect, retain and use to only what they need to provide their products and services. That would represent a major change from the current consent-based system that forces users to scroll through long privacy agreements and barrages them with pop-ups asking for their permission to be tracked online.
Currently, US companies can collect and store any personal data about you they like, provided they disclose this fact in their privacy policy – which can be worded in extremely general terms.
A key compromise on the Democrat side is that small businesses are exempt from the law, so long as they don’t sell customer data to third parties.
Photo by Jason Dent on Unsplash
FTC: We use income earning auto affiliate links. More.
Comments