Senators Boucher and Stearns have first introduced a discussion draft of the bill, according to Cecilia Kang at the Washington Post. Unlike the earlier bill I talked about in the last podcast, this one seems a bit less controversial. It would require clearly published privacy policies, opt-out for collection of basic data, opt-in for collection of sensitive data and a user’s permission for third party sharing unless the external site or service in question has easy to use privacy controls. There are clear and fairly precise definitions of both classes of personal data.
On the surface this seems more than reasonable. I would say that it bends over backwards to accommodate advertising networks. Public interest groups are already responding, suggesting that all data collection should be opt-in and that pushing on privacy policies, which is already failing, isn’t going to help anything. (Maybe pushing forward an icon/badge and metadata scheme is called for?) Kang also points out that the draft would allow for information sharing within an organization, including its subsidiaries. That is a risk worth noting given how much consolidation has been occurring in recent years.
I am of two minds on this bill, as I understand it. A harder line in favor of consumer control would be a better negotiating position when having to make eventual concessions as part of a compromise. However, too much emphasis on that end of the balance could also kill the bill before it even gets a start.
Maybe even a watered down set of protections at this point is better than none considering the sheer volume of data that is currently being vacuumed up and shared with who knows how many third parties. If the enforcement is clear enough and data about how the law fares is accessible, maybe we can use it as a foundation to build further protections following from an empirical baseline.