We don’t hear the words “bi-partisan” as often as we used to, but Senators from both parties have come together to introduce the Social Media Privacy and Consumer Rights Act of 2018.

While it doesn’t solve the problems of data collecting and tracking, it certainly is a positive step towards getting some common sense controls in place.

The bill would help protect consumers’ online privacy and data by improving transparency, strengthening consumers’ recourse options when a data breach occurs and ensuring companies are compliant with privacy policies that protect consumers.

Social Media Privacy and Consumer Rights Act of 2018

  • Requires terms of service agreements to be in plain language,
  • Ensures users have the ability to see what information about them has already been collected and shared,
  • Provides users greater access to and control over their data,
  • Gives consumers the right to opt out and keep their information private by disabling data tracking and collection,
  • Mandates that users be notified of a privacy violation within 72 hours,
  • Offers remedies for users when a privacy violation occurs,
  • Requires that online platforms have a privacy program in place.

“I don’t want to hurt Facebook, and I don’t want to regulate them half to death, either. But I have a job to do, and that’s protecting the rights and privacy of our citizens,” said Sen. John Kennedy (R-Louisiana), co-author of the bill.  “Our bill gives consumers more control over their private data, requires user agreements to be written in plain English and requires companies to notify users of privacy violations.  These are just simple steps that online platforms should have implemented in the first place.”

“Every day companies profit off of the data they’re collecting from Americans, yet leave consumers completely in the dark about how their personal information, online behavior, and private messages are being used,” Sen. Amy Klobuchar (D-Minnesota) said.  “Consumers should have the right to control their personal data and that means allowing them to opt out of having their data collected and tracked and alerting them within 72 hours when a privacy violation occurs and their personal information may be compromised.  The digital space can’t keep operating like the Wild West at the expense of our privacy.”

Stops Short Of European Union Laws

The bill stops short of the “Right to be Forgotten” provision, and some of the tougher language and fines that are to be found in the protection laws that go into effect shortly in the EU. The GDPR (General Data Protection Act) extends to anyone that provides services to European Union residents regardless of where they are located.

According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

Here, by comparison, are the key provisions in the GDPR:

  • single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
  • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.
  • For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
  • Organizations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another ore easily (right to data portability). This will improve competition among services.
  • ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
  • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
  • A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data.