Senator Ed Markey, at Senate hearing on data privacy
Senators Ed Markey of Massachusetts and Richard Blumenthal of Connecticut introduced the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act, which aims to require clear opt-in permission from “edge providers” (online services) to use, share, or sell user data. The bill seems to bring legislation similar to the European Union General Data Protection Regulation (GDPR) to the U.S.
Opt-In Requirement For Data Use
Up until now, online services companies have typically gotten away with tracking and collecting user data without first requiring explicit permission. Some of the largest changes we’ve seen these companies make in the past few years, whether it was Google, Microsoft, or Facebook, have been a direct result of investigations or legislation being passed mostly in the EU.
Some U.S. senators, such as Senator Markey, who was also the House author of the Children’s Online Privacy Protection Act of 1998, and Senator Blumenthal, now want the U.S. to pass similar legislation to require online services to obtain clear consent from their users before collecting or using their data.
Senator Markey said that:
America deserves a privacy bill of rights that puts consumers, not corporations, in control of their personal, sensitive information. The avalanche of privacy violations by Facebook and other online companies has reached a critical threshold, and we need legislation that makes consent the law of the land. Voluntary standards are not enough; we need rules on the books that all online companies abide by that protect Americans and ensure accountability. I thank Senator Blumenthal for his partnership and look forward to working with my colleagues on a bipartisan basis to pass the long-overdue privacy bill of rights.
More specifically, the CONSENT Act:
- Requires edge providers to obtain opt-in consent from users to use, share, or sell users’ personal information
- Requires edge providers to develop reasonable data security practices
- Requires edge providers to notify users about all collection, use, and sharing of users’ personal information
- Requires edge providers to notify users in the event of a breach
- Requirements are enforced by the FTC
ISPs Are Excluded From CONSENT Act
Although the bill seems to stand on its own as a pro-consumer rights bill, it is also written in a way that’s clear it won’t affect “network providers” (ISPs). The bill constantly refers to online services as “edge providers,” a term typically used by ISPs when discussing legislation.
Ever since online service companies such as Google, Netflix, and others fought to pass the 2014 net neutrality rules, ISPs have started complaining that it wasn’t fair that online services can gather all the data they like about their users but the ISPs cannot.
These complaints ramped up when the FCC also wanted to pass the broadband privacy framework, which have required ISPs to ask for user consent before using their data in any way beyond providing the basic internet services for which customers already pay them money.
Once the ISPs were able to defeat these rules with the help of the new FCC Chairman, Ajit Pai, they also started lobbying politicians to offer consumers the “same protections” across the board.
Charter recently said:
Charter believes individuals deserve to know that no matter where they go online or how they interact with online services, they will have the same protections. Different policies leading to inconsistent protections sow confusion and erode consumer confidence in their interactions online, threatening the Internet’s future as an engine of economic growth. And as an Internet Service Provider, that’s bad for business.
So we are urging Congress to pass a uniform law that provides greater privacy and data security protections and applies the same standard to everybody in the Internet ecosystem, including us.
It’s not yet clear if the CONSENT Act is the legislation the ISPs wanted to pass, given the author’s two decade history of introducing privacy-focused legislation. However, it is suspicious how the legislation seems to target only edge providers and how clear it is about that, even though there is no good reason why, like the GDPR, it can’t impact all companies that deal with consumers’ data (ISPs, credit reporting companies such as Equifax, and so on).