MarketWatch: How Congress could force tech companies to stop exposing your personal data

After a year rife with security scandals, high-profile hacks, and data breaches, Congress is starting to take steps toward protecting the privacy of people who use the internet or smartphone apps — in other words, nearly every single American.

A group of 15 Democratic senators introduced the Data Care Act this week, a proposed bill that would establish new rules around how companies collect and share users’ personal information, requiring them to “reasonably secure” consumer data. It’s one of a few privacy bills to be introduced this year and, if passed, it would be the first to address privacy in the U.S. on a federal level.

The Data Care Act would require tech companies to promptly inform users of security breaches, prohibit them from using data to “harm users,” and ensure that security measures are in place even when companies share users’ data with third parties. The act would be enforced by the Federal Trade Commission, which would establish fines and other punishments if companies violate it.

“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them,” Sen. Brian Schatz (D-Hawaii), who co-sponsored the bill, said in a statement. “Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same.”

The bill’s introduction follows a number of data privacy scandals in 2018, and comes as tech companies are increasingly being asked to answer for how they use their customers’ sensitive information. U.S. Rep. Suzan DelBene of Washington introduced consumer privacy legislation in September that has yet to be considered. Another bill, introduced by Sen. Ron Wyden of Oregon, suggested a jail sentence of 10 to 20 years for tech executives who fail to follow rules around data use and would allow the FTC to fine tech companies up to 4% of their annual revenue for a violation. The Data Care Act introduced Monday did not suggest specific amounts for fines, but, if passed, would give the FTC permission to establish fines for violations.

Also see: Why you should freeze your credit, even if you weren’t involved in the Marriott breach

After California passed a sweeping privacy bill in June, it seemed inevitable that federal legislation would emerge to address the “patchwork quilt of legislation across all 50 states,” Dimitri Sirota, chief executive officer and co-founder at BigID, a New York-based privacy software company, said.

“What all this legislation has in common is the notion that consumers want better accountability and more transparency around how companies make use of data and sell it,” he said. “It’s gone from something that is speculative to something that is inevitable, and is affecting behavior in corporations. Organizations need to prepare because there will be federal regulation coming.”

Security experts, including India McKinney, legislative analyst for the privacy nonprofit the Electronic Frontier Foundation (EFF), initially praised the proposed Data Care Act.

“We generally favor legislation requiring large companies to serve as fiduciaries for their consumers’ data, and to satisfy duties of loyalty, confidentiality, and care for their users,” she said.

The proposed bill does have some flaws, said Kristina Bergman, chief executive officer of Integris Software. It does not define what personal data actually is as clearly as the General Data Protection Regulation, the European Union privacy law that went into effect in May.

“Right now consumers often have no idea how their personal data is used — or even what personal data a company has about them. In fact, companies themselves often don’t have a clear idea of what personal data is in their possession,” she said. “Defining and identifying what constitutes personal data is the first step required before any aspects of the rest of the bill can be accomplished.”

The Internet Association, a trade organization representing major technology companies including Amazon AMZN, -3.23%  , Google GOOG, -1.61%  , Facebook FB, -0.39% and Ebay EBA, +0.74%  , said the bill is a positive step towards advancing federal privacy legislation.

“Internet companies act as responsible stewards of people’s data and agree with Sen. Schatz that federal legislation should promote responsible data practices,” Internet Association president and CEO Michael Beckerman said in a statement. “The industry looks forward to continuing its work with Sen. Schatz, Members of the 116th Congress, and other stakeholders on both sides of the aisle on our shared goal of passing an economy-wide law that protects consumer privacy and allows companies to innovate.”