Legislators around the world have taken notice of the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018. The GDPR has substantial privacy and data security protections and governments around the world are grappling with whether to implement similar legislation.
In April 2018, two United States Senators introduced a “privacy bill of rights” that, like GDPR, would largely require affirmative opt-in consent in order for entities to collect or use personal data. While this bill—introduced as the CONSENT Act, S. 2639 (Apr. 10, 2018)—seeks to close the gap between U.S. privacy laws and GDPR, it follows in the footsteps of previous “privacy bill of rights” legislation that failed in Congress in 2011 and 2015. The CONSENT Act was referred to the Senate Committee on Commerce, Science, and Transportation.
Separately, also in April 2018, similar legislation was proposed by a bipartisan group of senators that would increase online data transparency. This bill—the Social Media Privacy and Consumer Rights Act—does not go nearly as far as the CONSENT Act or GDPR, but contains several similar features. For instance, this bill would require websites to provide users with a copy of data that has been collected about them, codifies the FTC’s existing expectation that companies will disclose their privacy practices to consumers, and requires notice within 72 hours in the event that a website violates its own privacy practices. This bill also remains in committee.
TIP: Privacy regulation continues to gain momentum. Organizations that collect, use, or store consumer data should get their privacy houses in order both as a best practice and to be prepared to handle new regulation in this constantly shifting landscape.