Will the New Consumer Privacy Bill Protect You?

Legislation that would establish new nationwide privacy protections for American consumers was introduced by a group of high-profile Democratic senators on Thursday, including Pat Leahy (Vermont) and Elizabeth Warren (Massachusetts). The Consumer Privacy Protection Act would establish federal standards for notification of consumers when their data is lost or stolen, greatly expand the definition of private information beyond financial data, and allow existing state privacy laws to remain in force. Geolocation data and images would be covered by its data leak disclosure rules, for example.

“Today, data security is not just about protecting our identities and our bank accounts, it is about protecting our privacy. Americans want to know not just that their bank account and credit cards are safe and secure, they want to know that their emails and their private pictures are protected as well,” Sen. Leahy said. “Companies who benefit financially from our personal information should be obligated to take steps to keep it safe, and to notify us when those protections have failed.”

Consumer groups cheered the proposal, saying it offered a fresh approach to consumer privacy.

“This is a step forward. This is the first time you get something new in federal legislation. Usually it scales back (protections) in state law,” said Justin Brookman, director of consumer privacy at the Center for Democracy and Technology. “It’s good to see some new thinking on the issue, something that actually adds new protections for a lot of people.”

“Everyone from the NSA to the local grocer has become a consumer of our data. So many pieces of our data are being collected, stored, shared and sold, either without our knowledge or ability to understand the process,” said Adam Levin, privacy expert and chairman and founder of Credit.com. “It is long overdue that we expand the definition of ‘personally identifying information’ as well as the protections necessary to safeguard our privacy and data security and require quick notification when our PII is exposed.”

The legislation would require social media firms or cloud email providers to notify consumers if their accounts are compromised, Brookman said. Currently, most disclosure rules apply only to financial information such as credit card numbers.

The legislation comes on the heels of a similar White House proposal called “The Consumer Privacy Bill of Rights Act of 2015,” but goes several steps further than the administration’s proposal, said Susan Grant of the Consumer Federation of America. The White House proposal would allow federal law to supersede state laws, potentially diminishing consumer rights. It also requires demonstration of actual harm before requiring notice.

“(We believe) that federal legislation will only be helpful to consumers if it provides them with greater privacy and security protection than they have today. Most of the bills that we have seen in Congress would actually weaken existing consumer rights and the ability of state and federal agencies to enforce them,” Grant said. “(This bill) takes the right approach, requiring reasonable security measures, providing strong consumer protection and enforcement, and only pre-empting state laws to the extent that they provide less stringent protection.”

Most significant: The legislation creates entire new classes of protected information. Private information is divided into seven categories. Compromise of any one of them would require companies to notify consumers. They are:

Social Security numbers and other government-issued identification numbers;
Financial account information, including credit card numbers and bank accounts;
Online usernames and passwords, including email addresses and passwords;
Unique biometric data, including fingerprints;
Information about a person’s physical and mental health;
Information about a person’s geolocation;
Access to private digital photographs and videos.

Leahy has repeatedly proposed legislation since 2005 that would establish a nationwide notification standard called the Personal Data Privacy and Security Act; it has not passed. While co-sponsors of this new bill include Al Franken (Minn.), Richard Blumenthal (Conn.), Ron Wyden (Ore.) and Edward J. Markey (Mass.), there are, notably, no Republican co-sponsors. That probably dooms the bill, says Brookman.

“They didn’t get a GOP co-sponsor, and that’s not a great sign. Still, having the bill out there is good for dialog on the issue,” he said.