Rep. Suzan DelBene, D-Wash.
San Francisco Chronicle/Hearst Newspapers via Getty Images | Hearst Newspapers | Getty Images
As states move forward with their own digital privacy laws in the absence of federal regulation, Rep. Suzan DelBene, D-Wash., is reintroducing a bill aimed at creating a national standard for digital privacy rights.
The bill comes about a week after Virginia’s governor signed the state’s own privacy legislation into law, making it the second state in the country after California to ensure such rights. But DelBene’s bill would preempt it and other state laws to create a uniform standard across the U.S.
That sets her bill apart from several other Democratic bills that explicitly allow for states to have their own digital privacy laws so that they may build on the protections of the federal standard. But DelBene stressed in a virtual meeting with reporters last month that a state-by-state decision would be too confusing and onerous for both consumers and small businesses.
“I understand why states are moving forward in the absence of the federal government moving, but I think it is much better to have a federal law versus a patchwork of laws,” she said, adding that small businesses that don’t work strictly in the tech space will also be subject to the same data protection standards for their customers. That includes companies like those that process credit card transactions and have online storefronts.
DelBene’s bill seeks to preserve room for innovation and for emerging businesses to grow by exempting small businesses from regular audits of their privacy practices. DelBene’s staff based the threshold off of real-world data with the idea that a small local coffee shop shouldn’t necessarily be subject to a burdensome audit.
The bill is fairly focused on the most essential privacy protections, with stricter guidelines for sensitive data like Social Security numbers and health data than for less sensitive information like names and emails. For example, under the bill, consumers must explicitly opt-in to allowing a company to sell or share their sensitive personal information, while they can opt-out of the sharing of their non-sensitive personal information.
DelBene said the tight focus was intentional, emphasizing that the law should serve as a baseline that can be built upon with more targeted bills covering artificial intelligence, facial recognition technology and more.
The U.S. is playing catch-up to Europe on privacy and must set its own standards to get there, she said.
“If we’re going to help set global standards, we have to have a domestic policy, and in the absence of domestic policy [it’s] unclear what we’re striving for internationally,” she said. “I think privacy is foundational and if we don’t have privacy legislation in place it’s hard to think about how we add on top of this and start to address a wide array of areas.”
Since the bill was first introduced in 2019, DelBene made several changes based on feedback from key stakeholders. Those include adding immigration and citizen status as well as mental and physical health diagnoses under the definition of sensitive personal information and changing privacy audits from every year to every two years.
The new version also significantly ramps up resources for the Federal Trade Commission, which would be tasked with enforcing the law. This iteration would allow the FTC to hire 500 new full-time employees focused on privacy and security, rather than 50, and increase funding for its enforcement from $35,000,000 to $350,000,000.
DelBene said she’s optimistic that Congress will pass digital privacy legislation soon, but she also said she’s aware there are plenty of other straightforward bills that still haven’t made it through.
“I’m hopeful we can make it happen this Congress,” she said. “And if we don’t we will see more states make a different challenge for ourselves in terms of trying to rationalize all of that going forward.”