Privacy & Information Security Law Blog

On November 18, 2019, the ranking members from four Senate Committees (Senator Maria Cantwell (WA) from Commerce, Senator Dianne Feinstein (CA) from Judiciary, Senator Sherrod Brown (OH), and Senator Patty Murray (WA) from Health, Education, Labor and Pensions) released a set of “core principles” for federal privacy legislation.

The principles cover several issues across four categories to protect consumer privacy: (1) establish data safeguards; (2) invigorate competition; (3) strengthen consumer and civil rights; and (4) impose real accountability. These break down more specifically as follows:

• Establish Data Safeguards
  • Minimization – Collection of data must be minimized so it is narrowly tailored to its authorized use.
  • Abuse prevention – Harmful, deceptive and abusive collections and uses of data must be prohibited.
  • Sharing limits – Rules must be established to limit data sharing to that which is necessary to carry out purposes expected and authorized by consumers.
  • Security – Organizations need higher standards for the way they retain and secure data.
• Invigorate Competition
  • Market Power Checks – Consumers must be able to prevent their data from being commingled across separate businesses within an enterprise and ensure those restrictions apply to data obtained through mergers and acquisitions.
  • Data Portability – Consumers must be empowered to take their data to the company of their preference.
• Strengthen Consumer and Civil Rights
  • Individual Consumer Rights – Consumers should be provided with the rights to know, access, delete, correct and restrict the transfer of their data. Consumers must also receive heightened protections such as a “do-not-track” right.
  • Civil Rights Protections – Consumers must have transparency into algorithmic decisions that result in bias or discrimination and have the ability to challenge such decisions.
• Impose Real Accountability
  • Corporate Accountability – The burden of protecting privacy must be shifted from consumers to companies. Companies must secure their data, use it ethically, and not use it to consumers’ detriment. This should include increased CEO accountability, whistleblower rights and consumer redress mechanisms.
  • Federal Enforcement and Rulemaking – The Federal Trade Commission should be provided with first instance civil penalty authority, rulemaking authority to ensure the law can adapt to new technologies, and additional resources and staff.
  • State and Private Remedies – State attorneys general must be able to enforce the law, and it must include a meaningful private right of action.