Last month, Senators introduced two bills aimed at increasing privacy protections for consumers. The Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act would authorize the Federal Trade Commission (FTC) to promulgate regulations that improve consumer control over how data is collected and used. The second piece of legislation, known as the Social Media Privacy and Consumer Rights Act of 2018, seeks to protect consumers’ online data by increasing the transparency of data tracking and collection practices.
While both bills would implement new, stricter requirements on the collection and use of certain customer data, they do so in different, sometimes conflicting ways. Here are key features of each act.
- Applies to “edge providers” who provide services through a software program (including a mobile app) or over the internet (1) that require customers to subscribe or maintain an account to obtain services; (2) that require a customer to purchase services; (3) through which a customer performs searches; or (4) through which a customer divulges sensitive customer proprietary information.
- Mandates imposing FTC regulations that:
- Require opt-in consent from a customer prior to using, sharing, or selling sensitive customer proprietary information. “Sensitive information” includes Social Security numbers, web browsing or app usage history, and financial, health, geolocation, or call detail information.
- Prohibit edge providers from refusing service to customers who do not consent to the use or sharing of their customer proprietary information for commercial purposes.
- Require edge providers to develop reasonable data security practices including notice to consumers if a data breach occurs and “harm is reasonably likely to occur.”
Social Media Privacy and Consumer Rights Act
- Applies to any online platform that collects personal data during the online behavior of a user of the online platform. An “online platform” means any public-facing website, web app, or digital app (including a mobile app); and includes a social network, an ad network, a mobile operating system, a search engine, an email service, or an Internet access service.
- Provides consumers a right of access to see what information about them has been collected and used, and requires online platforms to have a privacy program in place.
- Requires online platforms to provide users with terms of service that include how personal data is collected. Terms of service must be “easily accessible,” “of reasonable length,” “clearly distinguishable from other matters,” and contain “language that is clear, concise, and well-organized.”
- Allows consumers to opt out of data collection and tracking, but permits providers to deny certain services or complete access if a user’s privacy selections “creates inoperability in the online platform.”
- Requires notification to users within 72 hours after the provider becomes aware that the user’s personal data “has been transmitted in violation of the privacy or security program” or the user’s privacy preferences.
Both bills are currently pending before the Senate Committee on Commerce, Science, and Transportation. We will follow their progress and post updates here. The Social Media Privacy and Consumer Rights Act, a bipartisan bill introduced by Senators Amy Klobuchar (D-MN) and John Kennedy (R-LA), likely has a better chance of making it out of committee than the Democrat-sponsored CONSENT Act.