US Senators Introduce Social Media Privacy And Consumer Rights Act

Senator John Kennedy

U.S. Senators John Kennedy of Louisiana and Amy Klobuchar of Minnesota introduced the Social Media Privacy and Consumer Rights Act of 2018, which is supposed to improve transparency, strengthen consumers’ recourse options in case of a data breach, and ensure that companies are compliant with privacy policies that protect consumers.

This new bill follows another Senate bill introduced recently by Senators Ed Markey of Massachusetts and Richard Blumenthal of Connecticut called the CONSENT Act.

Social Media Privacy and Consumer Rights Act of 2018

After the Facebook and Cambridge Analytica privacy scandal, Congress seems to be moving towards increasing consumers’ privacy protections in the United States. The European Union’s new General Data Protection Regulation (GDPR) will also go into effect in May, so Congress may feel that it needs to keep up.

More specifically, the new bill aims to improve the following things in American privacy rights legislation:

Requires terms of service agreements to be in plain language,Ensures users have the ability to see what information about them has already been collected and shared,Provides users greater access to and control over their data,Gives consumers the right to opt out and keep their information private by disabling data tracking and collection,Mandates that users be notified of a privacy violation within 72 hours,Offers remedies for users when a privacy violation occurs,Requires that online platforms have a privacy program in place.

Senator Klobuchar said:

Every day companies profit off of the data they’re collecting from Americans, yet leave consumers completely in the dark about how their personal information, online behavior, and private messages are being used.Consumers should have the right to control their personal data and that means allowing them to opt out of having their data collected and tracked and alerting them within 72 hours when a privacy violation occurs and their personal information may be compromised. The digital space can’t keep operating like the Wild West at the expense of our privacy.

Many of the provisions in the bill already seem in line with the GDPR. However, there is one far more important provision that seems to be missing from it: requiring companies to ask for explicit consent (users would have to opt-in, rather than opt-out) before collecting their data.

As such, although the Social Media Privacy and Consumer Rights Act of 2018 borrows some good ideas from the GDPR, it doesn’t come close in terms of the control it gives consumers over their data and how that information is collected.

The CONSENT Act is not perfect. As we discussed earlier, it seems to go out of its way to ensure that the new bill only affects “edge providers” or online services rather than ISPs, too.

However, Markey’s bill comes with many of the same transparency and data breach disclosure provisions that the Social Media Privacy and Consumer Rights Act has, while also requiring online companies to ask for consent before collecting user data. Additionally, the companies are also required to notify users about all types of data collection and data sharing with third-parties.

Perhaps the two bills can be combined, as long as the CONSENT Act remains intact. Otherwise, the CONSENT Act is the bill you should want to call your Senator to vote, if you care about stronger privacy rights.

Ideally, both of them would target the ISPs, or better yet anyone that deals with consumers’ data, which is the approach the EU GDPR took. U.S. consumers may gain new protections against social media and other online companies, but if their ISPs are free to share and sell data collected from all of their paying customers, then that wouldn’t be as large of a win as it could be.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Giroro
    If this congress actually cared about privacy, then they would restore net neutrality and repeal the blatantly unconstitutional CLOUD act.

    Based on what's been coming out of congress in the last couple years, I am immediately suspicious. I wouldn't be surprised if the language of the bill actually strips away more consumer protections than it protects.
  • stdragon
    20916790 said:
    Based on what's been coming out of congress in the last couple years, I am immediately suspicious.

    Uh oh. You just got woke! "Agents - he took the Red Pill, nab him!"

    In all seriousness, this has been going on far longer then just a "last couple of years".

    Rememeber that Wannacry outbreak used against the UK medical facilities? Yeah, you can thank the NSA for hoarding known Windows exploits, not telling anyone about it, then they (NSA) themselves got hacked and the tools used against all of us. And it doesn't start there, it goes back more recently to PRISM and even an attempt at a hardware backdoor via the Clipper chip back in the 90s.

    Gets better - So remember when the Zuck got grilled in front of Congress? Yeah, he donated to the members ranging in the hundreds of thousands of dollars in total. Oh yeah, pure impartiality right there...</sarcasm>
  • turkey3_scratch
    20916790 said:
    If this congress actually cared about privacy, then they would restore net neutrality and repeal the blatantly unconstitutional CLOUD act.

    How is net neutrality directly related to privacy, though? So far it's been a pretty long time since net neutrality has been repealed, and everything seems to be going fine here in America. If, of course, stuff has been happening I have not been seeing (since I don't follow all the news) I'd be happy if you'd point me to it.
  • ynhockey
    This proposal is actually better than GDPR in terms of consent. I work for a software company that (among other things) builds solutions for GDPR, and the consent part can get frankly ridiculous. Like if you want to buy a shirt from a small online clothing retailer (can even be a mom-and-pop business), you need to agree to 5 or 10 separate clauses related to privacy, because they are the minimum required to technically run the store online (cookies, order history, etc.), and more if you want to approve all the "recommended" things (e.g. login history). Not to mention there are some apparent contradictions with other regulations in non-EU countries, e.g. about keeping transaction history.

    As much as privacy is valuable, an opt-out approach protects it almost as much, but also doesn't pollute simple online processes like registration, shopping, etc.