WASHINGTON, D.C. — Republicans have introduced legislation that would enact nationwide consumer data protections, but experts disagree on whether the proposed federal standard would actually protect Americans’ online privacy.
Under the SECURE Data Act and the GUARD Financial Data Act, companies would have to inform American users of data collection, sharing, and use; provide an option to delete or request a copy of personal data; and, in theory, allow consumers to opt-out of targeted advertising.
Supporters of the bills say the existing patchwork of state laws “create uncertainty for businesses and leave consumers without uniform protections” and that the two bills will “empower businesses to grow responsibly while safeguarding the rights of Americans,” as Rep. Jay Obernolte, R-Calif., recently argued.
Yet two of the three experts in data privacy and electronic security who spoke with The Center Square believe the bills will actually undermine millions of Americans’ data privacy rights, rather than meaningfully safeguard them.
Caitriona Fitzgerald, deputy director at the Electronic Privacy Information Center, called the legislation “privacy bills in name only.”
“They allow companies to continue collecting and using our personal data however they please, as long as they tell us what they’re doing in a privacy policy that no one reads. And even if they read it, they don’t have a meaningful choice,” Fitzgerald told The Center Square.
“Technology is such an integral part of our lives now that it’s not a meaningful privacy protection to have companies be able to dictate the terms in a privacy policy, then force us to take it or leave it.”
Most of the protective standards that the bills would enact, if not already standard industry practice, include exemptions and language loopholes.
For instance, the secure data act includes language that appears to restrict companies from using automotive technology to create highly-detailed profiles of users, in order to sell that data to advertisers and others.
But the bill only restricts “solely automated” profiling. Corporations could interpret that to mean that such profiling is allowed so long as it is simply reviewed by a human, F. Mario Trujillo from the Electronic Frontier Foundation warned.
“Corporate lobbyists have gotten very good at building these very small loopholes into laws where the provisions look kind of good, but then you get a privacy lawyer to look at it and see that you can drive a truck through that provision,” Trujillo, EFF’s senior staff attorney, told The Center Square.
“The profiling definition is one example of that, but there are many examples where there are minor ways that definitions are drawn that are very favorable to companies,” Trujillo added. “It seems like a lot of the definitions in this bill are very basic.”
As another example, the bill includes language that initially reads like a data minimization requirement. It requires companies to limit their collection of personal data to what is “adequate, relevant, and reasonably necessary” – not, however, for the service provided, but for the purposes “disclosed to the customer.”
In other words, rather than restricting companies to collecting only personal data “adequate, relevant, and reasonably necessary” to provide its services, the bill merely requires a company to inform a consumer of its intentions.
“Companies should only collect and use our data in ways we expect, in ways that are necessary for the product or service we’re asking for,” Fitzgerald, from EPIC, said. “So for example, my weather app can collect my location data because it needs that data to show me the weather where I am, but they shouldn’t be selling it to a dozen data brokers. A flashlight app shouldn’t collect my location data at all.”
The legislation would overturn dozens of existing state privacy laws and preempt any state laws stricter than the proposed federal standard, such as a Californian law that allows consumers to sue companies for certain data privacy violations.
“The worst thing about it is that it tells states they can’t pass any stronger laws to protect residents, even if technology changes,” Fitzgerald said. “Historically, privacy laws have set a floor, and states can pass stronger laws on top of that…But [the SECURE Data Act] would take away rights from people in states that already have stronger privacy laws.”
EFF is also concerned about the preemption language, particularly with the growing risks to consumer’s data privacy as AI technology spreads and becomes more sophisticated.
“This bill essentially wipes out any state privacy laws or regulations on the books, and then it prevents states in the future from regulating privacy if new harms arise,” Trujillo said. “In future years, if there’s some new privacy problems and we identify real tangible harms that we can target — maybe related to AI or something like that — this bill essentially doesn’t allow that to happen.”
There are some experts, however, who believe that a weaker baseline standard is probably better than no federal standard at all.
Cobun Zweifel-Keegan, managing director at the International Association of Privacy Professionals, leans toward that view, though he clarified to The Center Square that IAPP is policy-neutral.
“In the absence of a federal privacy law, as this has been left to the states, we have seen the slow spread of consumer data rights for Americans in various states. But those requirements to respect consumers’ choices around their data only apply to less than half of the U.S. population,” Zweifel-Keegan pointed out.
“So any federal standard that adopts those obligations for businesses to adopt best practices and respect consumers’ preferences is stronger than not having a requirement at the federal level. It extends those protections to all Americans, so there’s certainly that to be said for it.”
He also highlighted provisions in the SECURE Data Act that have broad support among privacy advocates, such as requiring data brokers that make at least half of their profits from selling personal data to register with the Federal Trade Commission and addressing cross-border data transfers.
Additionally, the bill incorporates the Children’s Online Privacy Protection Act, which treats the online data of children and teens as inherently sensitive, requiring companies to obtain verifiable parental consent before processing it.
Zweifel-Keegan noted that both the bills are still in the negotiation phase and that the introduction of any data privacy legislation “provides a foundation for the conversation to happen, and I think it’s a meaningful step forward toward passing a federal privacy law.”
“People are not wrong in their framing about it, but my overall perspective is that it would be meaningful to have a baseline protection for all Americans,” he said.
Trujillo disagreed, arguing that the “better than nothing” view “doesn’t apply in this case, and that’s because of the preemption provisions.”
“What you’re essentially doing here is you’re establishing a federal standard, but then you’re wiping away tons of pre-existing data privacy laws that are doing some real work, like the Illinois Biometric Protection Act,” Trujillo said, adding that many companies have voluntarily changed how they collect biometric data on all users due to the law.
“So that’s why I think the calculus here isn’t really ‘this is better than nothing,’ because we already have something, and what this bill would be doing is wiping away all of that, and then preventing states from doing anything stronger in the future,” he said. “And that’s why I don’t really see the better-than-nothing argument really holding water here with this bill.”
