On April 10, Senators Richard Blumenthal (D-CT) and Ed Markey (D-MA) introduced new privacy legislation titled the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act. In a statement published on his website, Senator Markey referred to the legislation as a “privacy bill of rights” and explained that “[t]he avalanche of privacy violations by Facebook and other online companies has reached a critical threshold, and we need legislation that makes consent the law of the land.”
The CONSENT Act directs the Federal Trade Commission (FTC) to “establish privacy protections for customers of online edge providers.” These protections include requiring edge providers to notify customers about the collection and use of “sensitive customer proprietary information,” which the Act defines to include, among other things, financial and health information, the content of communications, and web browsing and application usage history. Customers must also be notified about the types of sensitive customer proprietary information that the edge provider collects, how the information will be used and shared, and the types of entities the edge provider will share the information with.
The centerpiece of the CONSENT Act is its “opt-in” requirement for edge providers to obtain consent from customers for the use of “sensitive information.” This differs from the model currently employed by most online companies, under which customers may opt out of data collection. The Act also prohibits an edge provider from refusing to serve customers who do not consent to the use and sharing of their sensitive proprietary information for commercial purposes.
Other features of the CONSENT Act include the implementation of protections to prevent the restoration of sensitive customer proprietary information that has been de-identified, the requirement that edge providers disclose plans that provide discounts in exchange for the customer’s consent to use their sensitive customer proprietary information, the requirement that providers develop “reasonable data security practices,” and the implementation of data breach notification requirements. The Act would be primarily enforced by the FTC, but also provides civil enforcement authority to state attorneys general.
Today, Senators Amy Klobuchar (D-MN) and John Kennedy (R-LA) announced that they too plan to introduce privacy legislation. Several House members have also recently introduced bills aimed at bolstering consumer privacy protections. Last May, Rep. Marsha Blackburn (R-TN) introduced the Balancing the Rights of Web Surfers Equally and Responsibly (BROWSER) Act of 2017, which would authorize the FTC to enforce privacy protections including opt-in consent for the use of sensitive information. In October, Rep. Jan Schakowsky (D-IL) introduced the Secure and Protect Americans’ Data Act, which would require providers to reasonably secure customers’ personal information and provide notice in the event of a data breach. Both bills are currently pending before the Subcommittee on Digital Commerce and Consumer Protection in the House Committee on Energy and Commerce.