It’s been six months since I testified in front of Congress about the need for federal data privacy protections. While those laws felt frustratingly far off at the time, they’re quickly coming into focus: On Sunday, a senator and a congresswoman introduced their draft of the American Privacy Rights Act, a bipartisan, bicameral proposal that would put people in control of their own data.
Look, we are doing Season Two of the podcast on data, because you can’t talk about AI without talking about data: These AI systems are very data-hungry, hoovering up as much data as possible in order to train them. And because of the incentive system these technologies exist in, it's almost natural to believe that they will be coming after your data as well. We need a counterbalance to protect consumers’ privacy, and that protection does not exist. (Things are, naturally, different in Europe: They enacted their AI Act last month, which I wrote about in December.)
Drafted by Senate Commerce Committee Chair Maria Cantwell (D-Wash.) and House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.), this landmark legislation would make privacy a consumer right. It covers a wide and essential range of protections, from preventing companies from discriminating against people based on their personal information to issuing strong security standards to prevent data breaches (and holding company executives accountable). Most importantly, it makes them enforceable.
Here are the top five things to know:
The federal government will clean up the state patchwork. As I wrote last month, many states have taken it upon themselves to regulate data privacy, notably California. But this patchwork is annoying for companies, and it doesn’t provide a “floor” of how to protect us all. The American Privacy Rights Act would eliminate the existing crazy quilt of state data privacy laws, per the joint statement, and replace it with a national privacy standard.
It will set forth a theory of data minimization. Companies will only be allowed to collect, keep and use the information about a person necessary to provide them with a specific product or service requested by the person to whom the data pertain. People also have the right to withdraw their consent at a later date.
It specifically addresses biometric and genetic information. I mean, this is not only data that can’t be changed, it’s the most sensitive data we “own.” (Just ask the nearly 7 million 23andMe customers who learned their data was leaked in a breach several months ago.) So… The APRA sets the bar higher and limits this data to sharing only with explicit consent from the user. Also notable is that the draft law sets a three-year timeframe for companies to keep biometric and genetic information, and sets limits to transfer that information to other parties without explicit consent.
It puts the Federal Trade Commission in charge of enforcement. What sticks out most for me here is that the FTC would be able to give people a “do not collect” tool, which data brokers have to follow. That means that people will be able to opt out of targeted surveillance (location data, phone logs, etc.).
While this will be popular, that’s not going to go over well with Google, Amazon, Meta or other big online companies, for whom this data is their lifeblood. It also means that when there are data breaches and lack of protections for covered data, the FTC will be the one to swoop in and enforce the law. APRA also gives the power of enforcement to state attorney generals and…Consumers are given control! The APRA requires transparent privacy policies, written in easy-to-read language, explaining not only what information is gathered and why, but also whether it’s sold to data brokers. Data brokers, for example, have to have a very clear web presence, including being registered with the FTC (but honestly, with lame penalties of only $10k/year if they don’t register).
Going a step further, individuals will have access to and control over their data — a radical first. They can correct and delete that data, and can prevent its transfer or sale. They can request a copy of their data and even have it removed from the company’s records.
So, Will It Really Happen?
You can skim through the 140-page draft here and get excited. But don’t forget how a bill becomes law: We have a lot of work ahead of us. House and Senate aides told reporters on a Sunday call that there's no "target date" for introduction. Sigh.
It’s unclear which committee would go first on hearings or a markup. What is clear is that this will be a huge lobbying bonanza for K Street, where Big Tech spends money freely. (Just look at TikTok’s fast-moving efforts last month.)
It’s easy to be cynical that a lot of this is politics. (And maybe it is! As some child online safety bills are starting to move, legislators may be trying to get their name on something.) Also, McMorris Rodgers is retiring at the end of this Congress, and is probably looking to make a mark.
The detractions began immediately. Here’s Ted Cruz, the ranking member of the Senate Commerce Committee: "In particular, I cannot support any data privacy bill that empowers trial lawyers, strengthens Big Tech by imposing crushing new regulatory costs on upstart competitors or gives unprecedented power to the FTC to become referees of internet speech and DEI compliance."
Okay, so this is not getting signed any time soon. But lawmakers don't have a lot of time left in this Congress to reach compromises, address outside group concerns and get a law passed after years of stalemate.
Politics aside, it’s nice to see some movement. Can we be optimistic about that? My hope is that the politicians ultimately see that this is about American values. Are our values to allow our data to be violated? Or is it to protect us all?
Worth the Read
Elon Musk’s X homepage posted a headline about Iran attacking Israel…that was created by X’s Grok AI…on the first day that the platform’s trending news product, Explore, was updated. Who needs fiction? Simultaneously, and maybe ironically, Elon is also predicting that AI will surpass human intelligence by next year? (Also, this is coming from somebody who gets every Tesla ship date wrong by years.)
Remember the story about the AI-generated nudes circulated by high-school boys that shook a New Jersey town six months ago? The school has done nothing about it to date, reflecting a disturbing reaction to a disturbing trend.
Scientific American reports that a ban on TikTok would be “security theater.” (My new favorite term.) Sanctions on one app won’t staunch the flow of American data overseas.
Federal investigators forced Google to turn over data on viewers of a specific YouTube video, the first reported data dragnet.
The Guardian has a great history of deepfakes. I’m taking notes as I prepare a talk on deepfakes and elections at Vivatech later this year.