Mandatory opt-out, data breach notification part of new privacy bill

Sen. Amy Klobuchar (D-Minn.) and a trio of her colleagues have reintroduced a bill to protect people’s privacy when their data is collected by big tech companies like Facebook, Twitter, and Google.

Klobuchar originally proposed the bill in 2018 with Sen. John Kennedy (R-La.) and again in 2019 when the Senate was under Republican control. The legislation, known as the Social Media Privacy Protection and Consumer Rights Act, would compel companies to allow people to opt out of tracking and collection. The Verge first reported the latest reintroduction.

The bill didn’t get any traction the first two times it was introduced, though plenty has changed in the last few years. Social media companies have come under greater scrutiny due to their market power, data collection, and privacy practices, and Congress has held several hearings to question big-tech firms on these issues. Perhaps reflective of the shift, the bill today has three co-sponsors: Kennedy returns, and Sens. Joe Manchin (D-W.Va.) and Richard Burr (R-N.C.) are new.

“For too long, companies have profited off of Americans’ online data while consumers have been left in the dark,” Klobuchar said in a statement to Ars. “This legislation will protect and empower consumers by allowing them to make choices about how companies use their data and inform them of how they can protect personal information.”

The bill prescribes several changes to the way social media, search, and other data-centric companies handle user data. For one thing, they have to give consumers a way to opt out of data collection. That process might be as straightforward as someone declining the terms of service. If a person does opt out, the bill says companies are free to deny users access.

In reality, some companies may find it challenging to deny access to all users who opt out. Take Google, for example. The site does not require someone to be logged in to perform a search, and while untracked users may be less lucrative, they can still be served ads. With a company like Facebook, it might be harder for people to opt out of tracking while retaining their account. According to the 2018 bill, a company could present terms of service that detail how a user’s data will be collected and used. If the user accepts the terms, Facebook could access the user’s data. Declining the terms would effectively opt the user out.

Terms of service likely will have to be rewritten to comply with the proposed legislation, though. Today’s terms of service are often lengthy and filled with legalese. On some sites, they’re also poorly formatted, making them almost impossible to digest. The bill addresses all of those problems, saying that terms of service must be in a form that is “easily accessible, of reasonable length… and uses language that is clear, concise, and well organized and follows other best practices appropriate to the subject and intended audience.”

If a user closes an account, companies would have 30 days to delete the user’s data unless some other law compels them to keep it.

The bill also prescribes what companies must do if they suffer a data breach or if personal data somehow leaks out in violation of a company’s privacy policy (think Cambridge Analytica). Within 72 hours of a breach or leak, a company has to notify its users of the incident, send a reminder of the ability to opt out or close their account, allow them to request that their data be deleted, and provide them with a full copy of the data that has been collected, including a list of the other parties with which it has been shared.

Though the bill has just been reintroduced and its passage remains uncertain, support for it or something similar has been gaining steam, even among social media companies. As state legislatures have introduced a patchwork of dozens of privacy bills, Facebook has called for federal privacy regulations to simplify compliance.

Should the legislation pass, it would be enforced jointly by the Federal Trade Commission and states’ attorneys general.

“It’s common sense that people have a right to data privacy, and that right does not evaporate when someone logs on to their social media profile,” Kennedy said in a statement to Ars. “Social media companies have a duty to protect their users’ data and to offer quick solutions when a breach occurs. The Social Media Privacy Protection and Consumer Rights Act would strengthen users’ control over their own data and better protect their privacy.”