EFF is concerned that a new federal bill would freeze consumer data privacy protections in place, by preempting existing state laws and preventing states from creating stronger protections in the future.
The bill should limit sharing with the government and expand the definition of sensitive data.
Reining in companies' massive collection, misuse, and transfer of everyone's personal data should be the unifying goal of those who care about the internet.
In general, the APRA would require companies to minimize their processing of personal data to what is necessary, proportionate, and limited to certain enumerated purposes.
It would specifically require opt-in consent for the transfer of sensitive data, and most processing of biometric and genetic data.
The APRA should not preempt existing and future state data privacy laws that are stronger than the current bill.
The ability to pass stronger bills at the state and local level is an important tool in the fight for data privacy.
We ask that Congress not compromise our privacy rights by undercutting the very state-level action that spurred this compromise federal data privacy bill in the first place.
APRA would allow many state sectoral privacy laws to remain, but it would still preempt protections for biometric data, location data, online ad tracking signals, and maybe even privacy protections in state constitutions or some other limits on what private companies can share with the government.
If lawmakers in Washington state wanted to follow EFF's advice to ban online behavioral advertising or to allow its citizens to sue companies for not minimizing their collection of personal data, state legislators would have no power to do so under the new federal bill.
The private right of action does not apply to some of the most important parts of the law, including the central data minimization requirement.
APRA should close a loophole that may allow data brokers to sell data to the government and should require the government to obtain a court order before compelling disclosure of user data.
The APRA has heightened protections for sensitive data, and it includes a long list of 18 categories of sensitive data, like: biometrics, precise geolocation, private communications, and an individual's online activity overtime and across websites.
We ask Congress to add other categories, like immigration status, union membership, employment history, familial and social relationships, and any covered data processed in a way that would violate a person's reasonable expectation of privacy.
The sensitivity of data is context specific-meaning any data can be sensitive depending on how it is used.
The APRA's exceptions on biometric information, de-identified data, and loyalty programs should be narrowed.
De-identified data is excluded from the definition of personal data covered by the APRA, and companies and service providers can turn personal data into de-identified data to process it however they want.
The problem with de-identified data is that many times it is not.
Many people do not want their private data that they store in confidence with a company to then be used to improve that company's product or train its algorithm-even if the data has purportedly been de-identified.
Many companies under the APRA can host loyalty programs and can sell that data with opt-in consent.
This Cyber News was published on www.eff.org. Publication date: Tue, 16 Apr 2024 19:58:03 +0000