Businesses and online privacy advocates hold diametrically opposing views on the wisdom of congressional Republicans’ plans to enact a nationwide framework for consumer data privacy protections.
The SECURE Data Act, which a U.S. House committee reviewed Wednesday, would require online platforms to inform American users of data collection, sharing and use. The bill would also provide consumers an option to delete or request a copy of personal data, and, in theory, allow consumers to reject targeted advertising.
Business advocates present at the committee hearing praised the bill, calling it “long overdue.” They argued that it strikes the right balance between protecting consumers and supporting businesses, which currently have to navigate a patchwork of privacy laws enacted by 22 states.
“Overly burdensome or conflicting state mandates create compliance uncertainty that gets in the way of business investment and growth,” Ashli Watts, representing the Kentucky Chamber of Commerce, told lawmakers. “The SECURE Data Act offers American consumers a strong, uniform set of privacy rights. It offers American businesses the clarity and consistency they need to innovate, compete and grow.”
Privacy advocates, however, argued that implementing the SECURE Data Act would be worse than having no federal standard at all.
The SECURE Data Act would overturn dozens of existing state privacy laws and preempt any state laws stricter than the proposed federal standard, such as a California law that allows consumers to sue companies for certain data privacy violations and a Maryland law that prevents companies from selling sensitive consumer data.
Caitriona Fitzgerald, deputy director at the Electronic Privacy Information Center, said a strong privacy law “should work with, not against, established state protections.”
“The SECURE Data Act would freeze outdated standards into law while hitting the delete button on decades of state laws related to privacy, data security, civil rights, and kids’ online safety,” Fitzgerald told lawmakers. “Rather than advancing consumer rights, its passage would cement weak rules into law, deter stronger future laws, and leave Americans more vulnerable than ever.”
Additionally, she said, most of the bill’s protective standards include multiple exemptions or provide loopholes for companies.
For instance, the bill includes language that initially reads like a data minimization requirement. It requires companies to limit their collection of personal data to what is “adequate, relevant, and reasonably necessary” – not, however, for the service provided, but for the purposes “disclosed to the customer.”
In other words, rather than restricting companies to collecting only personal data “adequate, relevant, and reasonably necessary” to provide its services, the bill merely requires a company to inform a consumer of its intentions.
“A data minimization rule only works if it limits how much data companies can collect and how they can use it, which the SECURE Data Act fails to do,” Fitzgerald noted. “In fact, it incentivizes companies to list as many purposes as possible, as broadly as possible in their policies, to cover every reason they might ever use data. And the only ‘choice’ a consumer has is to avoid the service.”
Fitzgerald argued that the bill’s “opt-in consent” requirement is another example of giving consumers an only “illusory” choice, since it allows companies to combine both “necessary” and “unnecessary” data collection into a single consent request.
“My 8-year-old loves soccer, and every league he joins requires me to download a new app to see the schedule. If I do not agree with the app’s terms, there is no ‘disagree’ button. I must accept the terms, no matter how exploitative, or not use the app,” Fitzgerald said. “Am I supposed to tell my son he can’t play soccer because his mom doesn’t want her personal data used to train AI systems? We should not bake this unfair system into law.”
Given general Democratic opposition to the bill, the SECURE Data Act will likely die in the Senate even if it passes the House.