As enforcement from the European Union (EU) on the General Data Protection Regulation (GDPR) looms on the horizon, and privacy violations abound, lawmakers in the United States are paying more attention to domestic privacy laws. Last month, four U.S. Senators introduced two bills intended to enhance consumer privacy protections and place certain constraints on online service providers.

One bill proposes to accomplish this by requiring "opt-in" consent for the use of web browsing history and, in the other, by mandating an "opt-out" procedure with respect to the collection and use of consumer personal information. Although it will likely take time, if ever, for these bills to become law, they suggest a willingness, among at least some members of Congress, to address consumer privacy issues on a federal level and adopt certain concepts from the GDPR.

The CONSENT Act

On April 10, Senators Edward J. Markey (D-MA) and Richard Blumenthal (D-CT) introduced the Customer Online Notification for Stopping Edge-provider Network Transgressions Act (CONSENT Act).

The bill would require the Federal Trade Commission (FTC) to establish privacy protections for customers of online service providers, such as Amazon, Facebook, and Google, that collect "sensitive customer proprietary information" (SCPI) from their consumers. SCPI is defined broadly to include, among other things, the content of communications, and web browsing and app usage history. Treating web browsing history and app usage history as 'sensitive' would certainly be a shock to most U.S. ad tech companies. Consistent with best practices and existing state law, customers must also be notified as to what data is collected and for what purpose, and with whom it will be shared.

Significantly, these providers would be required to obtain "opt-in consent" from customers to use, share, or sell SCPI. In addition, under the bill, an online service provider would be prohibited from refusing to provide services to a customer who does not opt-in to the collection, use, and sharing by the provider of their information.

In a statement about the bill, Senator Markey said, "America deserves a privacy bill of rights that puts consumers, not corporations, in control of their personal, sensitive information."

The CONSENT Act, almost as a throwaway line, includes a security breach notification obligation. With the current patchwork of state security breach notification laws, any movement on this issue on the federal level would have a significant impact.

Social Media Privacy Protection and Consumer Rights Act of 2018

The second bill, the Social Media Privacy Protection and Consumer Rights Act of 2018, was introduced in April by Senator Amy Klobuchar (D-MN) and Senator John Kennedy (R-LA) with the stated goal of seeking to "protect the privacy of users of social media and other online platforms."

Under this bill, unless a user opts out, online providers must notify users of the data that is being collected from and about them (and make a copy available to them), as well as identification of any third parties who will have access to their data.

The bill broadly defines personal data as individually identifiable information about an individual collected online, and includes, among other things, the content of a message; an email address; a telephone number; a government identifier, such as a Social Security number; and geolocation information. The bill also requires that operators of online platforms establish and maintain privacy and security programs for their platforms and also includes data security breach obligations.

In a statement advocating change in privacy protections, Senator Klobuchar compared the digital and online arena to the Wild West.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.