Cristiano Lima-Strong, reporting for The Washington Post:

Key federal lawmakers Sunday unveiled a sweeping proposal that would for the first time give consumers broad rights to control how tech companies like Google, Meta, and TikTok use their personal data, a major breakthrough in the decades-long fight to adopt national online privacy protections. The bipartisan agreement, struck by Senate Commerce Committee Chair Maria Cantwell (D-Wash.) and House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.), marks a milestone in the congressional debate over data privacy. The issue has befuddled lawmakers despite near-universal agreement — in Silicon Valley and in Washington — on the need for federal standards to determine how much information companies can collect from consumers online.

The measure, a copy of which was reviewed by The Washington Post, would set a national baseline for how a broad swath of companies can collect, use, and transfer data on the internet. Dubbed the American Privacy Rights Act, it also would give users the right to opt out of certain data practices, including targeted advertising. And it would require companies to gather only as much information as they need to offer specific products to consumers, while giving people the ability to access and delete their data and transport it between digital services.

Significantly, the deal — one of Washington’s most significant efforts to catch up to privacy protections adopted in Europe nearly a decade ago — would resolve two issues that have bogged down negotiations for years: whether a federal law should override related state laws and whether consumers should be permitted to sue companies that violate the rules.

Europe’s General Data Protection Regulation, commonly known as GDPR, aimed to achieve exactly what Cantrell and McMorris Rodgers’ bill now aims to do in the United States, but GDPR just makes users’ experience on the internet worse. The U.S. bill, which has not been fully written, would give users the right to request companies delete their user data — a crucial measure for data privacy in 2024. If you’re European, that might seem like common sense, but in the United States, consumers can only ask companies to delete their data, not force them to. This bill would change that.

Otherwise, the legislation is light on details, though I assume that will change as it gets written. It would allow users to opt out of targeted advertising, which is a potential cause for concern, although I imagine there will be a carveout for paid, advertisement-free subscriptions like the one Meta sells in Europe to comply with the Digital Markets Act and that is currently being challenged by the European Commission for some nonsense reason. And the mandate about restricting companies to only necessary data collection is essential to keep data brokers in check — brokers that collect massive amounts of data and sell it however they would like without any oversight or consumer consent.

Data transportation regulation is also important, though it concerns me how the measure will be written in this regard. Consumers should have the right to request copies of their data in easily accessible formats — not proprietary ones like the businesses that allow consumers to receive their data at all usually supply — and import that data in the finance and technology sectors. This regulation, however, should only apply to large corporations, as it may hinder innovation amongst smaller ones that need the data advantage the larger companies currently possess. (The new act does change rules depending on how large a company is, calculated via annual income.)

Color me skeptical, since data privacy regulation and monopoly checks are challenging pieces of legislation for a dysfunctional Congress to pass, but I think this new bill looks promising. Granted, the longer a bill is in committee, the worse it will become since most senators really have no grasp on technology. That combined with the looming election in November when Democrats might lose the Senate, and I am unsure if this bill will ever get to the House and be signed by the president. But it goes without saying that there is a crucial need for good, knowledgeable data privacy regulation at the federal level, bypassing a patchwork of poorly written state legislation that makes companies’ lives more difficult and confuses unwitting consumers.

Relatedly, Maryland passed similar data privacy regulations for its consumers Sunday, as well.