Some top Senate Democrats, including on Commerce and Judiciary, have released a set of core privacy principles they say should underpin any new federal legislation.
Legislators on both sides of the aisle have said they support comprehensive privacy legislation, driven in no small measure by their concerns about web sites sharing data, including personal information, and failing to sufficiently protect it or disclose its use.
Signing on to the principles are Senators Dianne Feinstein (D-Calif.), Maria Cantwell (D-Wash.), Sherrod Brown (D-Ohio) and Patty Murray (D-Wash.), ranking members of the relevant committees, who had been asked to come up with the principles by Minority Leader Chuck Schumer (D-N.Y.).
"Under our framework, consumers would control their personal information, and corporations, non-profits, and political entities would be held to higher standards for when and how they collect, use, share, and protect our data," they said in issuing the principles.
Also backing the principles, and consulted on them, were Sens. Ron Wyden (D-Ore.), Richard Blumenthal (D-Conn.), Brian Schatz (D-Hawaii) and Ed Markey (D-Mass.).
Among the principles:
- Data minimization, especially relating to " biometrics, race, sexual orientation, children, health, or finances."
- Prohibiting harmful, deceptive and/or abusive collection practices
- Limiting data sharing with service providers and third parties
- Require greater accountability and higher standards for data security and retention
- Require data protection practices to apply to data gained via mergers, acquisitions and bankruptcies
- Data portability among companies
- Consumer rights to "know, access, delete, correct, and restrict the transfer and retention" of data
- Civil Rights protections against discriminatory algorithms
- Shift responsibility for privacy protections from consumers to corporations, including CEO accountability, whistleblower rights and consumer redress.
- "Significant" civil fines and criminal penalties, including for first appearances.
State and private enforcement (private rights of action), with no overriding of state action by mandatory arbitration clauses.