Rep. Suzan DelBene, a former Microsoft exec and currently a congresswoman from Washington State, has drafted a privacy bill that includes input from both consumer groups and tech companies, she says, and would apply to ISPs as well as edge providers.
The draft bill would beef up the FTC's regulatory authority by directing it to promulgate rules--it generally enforces via consent decrees and lawsuits--to protect sensitive personal information.
The Online Transparency & Personal Data Control Act, taking a page from new ER privacy protections, would require "affirmative, express opt-in consent" to the collection, storage, processing or sharing of "sensitive personal information or behavioral data," which is defined as a laundry list of information from phone numbers and names to essentially anything the Federal Trade Commission decides is in that category.
“We’ve all become so dependent on technology, and it is exciting to see what the future may hold. But we’re at a point where consumers desperately need a clear understanding of what happens to their data, and the chance to have greater control," said the congresswoman. "Rather than having to comb through confusing policies and figure out how to opt out of highly invasive settings, customers should be able to expect privacy as the default.”
Any entity wanting to collect and share data would have to identify and provide contact info for any entity collecting personal information or behavioral data; disclose the purpose for collection and how the data is shared, and with whom; how long it is stored; how consent can be withdrawn; and more."
Every two years, companies would also have to conduct a privacy audit using an independent third party and publish a redacted version of the audit.
The requirements would apply to "any entity who operates a website located on the internet or an online service and who collects or maintains personal information from or about individuals, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any entity offering products or services for sale through that website or online service, involving commerce among the States or with one or more foreign nations."
The definition of sensitive personal or behavioral information includes names and addresses--physical and IP and email--and phone numbers, as well as Social Security numbers, financial information, health information, relationships, any information on people 17 and under, drivers license numbers, user names, passwords, geolocation info, content of communications, call records, web browsing history, biometric information, sexual orientation, political preference, religious beliefs, and anything else the FTC decides fits the bill.
That would cover just about all the information edge providers use to monetize their platforms in addition to the information--health, financial, Social Security, etcetera, that almost everyone agrees need heightened protection.
While the privacy issues has become increasingly bipartisan, particularly in the wake of breaches and the Facebook/Cambridge Analytica third-party info sharing debacle, the bill in its present form is unlikely to get much Republican support given the that laundry list of information for which opt-in consent would be required.