With the states taking the lead on privacy (see our tip here), the federal government is starting to get in on the action.

Last week, on January 16, 2019, Republican Sen. Marco Rubio introduced the American Data Dissemination (ADD) Act (S. 142). Recognizing the lack of a single comprehensive federal privacy law, the ADD Act seeks to “provide a national consumer data privacy law that protects both consumers and the innovative capabilities of the internet economy.” It instructs the Federal Trade Commission (FTC) to prepare privacy regulations applicable to “covered providers”—i.e., persons who provide a service that uses the internet to collect records containing personally identifiable information—for approval by Congress that are substantially similar to the requirements under the Privacy Act of 1974. Among other things, the FTC would be required to establish criteria for exempting small or newly formed providers, to restrict disclosure of records, and to provide consumers with rights to access and correct their personal data. The ADD Act, if enacted, would preempt the California Consumer Privacy Act (see our CCPA page here) and other state privacy laws, including the recently introduced New York privacy bill, which would establish a privacy bill of rights for New York residents.

On January 18, 2019, a bipartisan bill (S. 189) was introduced by Sen. Amy Klobuchar and Sen. John Kennedy to “protect the privacy of users of social media and other online platforms.” While the text of the current bill is not yet available, it is expected that the 2019 version will be substantially similar to the Social Media Privacy and Consumer Rights Act of 2018 (S. 2728), which the two senators introduced in the prior Congress. In addition to imposing a 72-hour breach notice obligation on online platform operators, the prior version would have required such an operator to inform users that their personal data would be collected and used by the operator and third parties and to provide users with a right of access to the personal data collected about them. Additionally, under the prior version, the operator would have been required to provide users the option to specify privacy preferences and could have denied users certain services or access if such privacy specifications made the operator’s platform inoperable.

These two 2019 federal bills follow several introduced in late 2018, including the Data Care Act of 2018 (S. 3744)introduced by 15 Democratic senators in December 2018, the draft Consumer Data Protection Act introduced by Sen. Ron Wyden in November 2018 and the Information Transparency & Personal Data Control Act (H.R. 6864)introduced by Rep. Suzan DelBene in September 2018.

It remains to be seen which of these bills, if any, will gain traction. Our team is closely tracking legislative developments on both the federal and state levels.