The question of whether Europe’s pending privacy rules would make it to the U.S. is nearing an answer.
Last week, while Congress grilled Facebook CEO Mark Zuckerberg about the company’s failure to protect people’s privacy, Democratic Sens. Edward Markey and Richard Blumenthal introduced the CONSENT Act. The Customer Online Notification for Stopping Edge-provider Network Transgressions Act would impose similar rules in the U.S. to the EU’s General Data Protection Regulation, which takes effect on May 25. However, there are important differences between the two.
What would the act require?
In a word: consent. Publishers, platforms, brands and anyone else collecting people’s information online would need to obtain a person’s explicit consent before they can use, share or sell certain information about that person. They would need to detail all the ways that information is used, shared or sold, and notify people when those ways change “in a significant way,” according to the bill.
What information, exactly?
The data that ad buyers and ad sellers typically rely on to target and measure ads online: The sites people browse online, the apps they use and their geolocation. People also would have to give consent for any use of their emails, private messages, call details, financial information, health information, Social Security numbers and information related to children.
Sounds good for consumers. What’s the catch?
There may be a loophole for certain pieces of personally identifiable information, like people’s names and email addresses. That information is not listed among the types that would require consent. It would be up to the Federal Trade Commission, which would enforce the law, to decide what types of personally identifiable information should also require consent to be used, shared or sold. If the FTC excluded such information under the act, companies would only be required to notify people if they use, share or sell people’s names, email addresses and other personally identifiable information.
How would the act affect publishers, advertisers and platforms like Facebook and Google?
Platforms and advertisers could only target ads to people who gave them permission to collect their information, though the loophole could be used to target ads by matching the names and email addresses of users and customers. Advertisers could see smaller audience segments to target. And brands would also have to obtain people’s consent to use information collected from a brand’s own site or app to target them with ads or determine if seeing an ad led to a sales action.
Couldn’t publishers and platforms require people to give consent to use their sites or apps?
No. Companies would not be able to bar people who don’t give consent from using their sites or apps, according to the bill.
So this is basically the US version of the GDPR?
Yes and no. On the surface, the GDPR and the CONSENT Act both would require companies to obtain people’s consent to use certain information. But the 15-page CONSENT Act largely stays on the surface, while the 99-article GDPR goes deep into how its rules apply to companies that control people’s data versus those that process it. The personal information loophole is another big difference. Companies could still use that information without consent if they tell people how they are using it.
What’s the likelihood of the act becoming law?
Hard to say. Congress has introduced two online privacy laws, in 2011 and 2015, but they never passed. Perhaps there’s more momentum now with the Facebook situation, said Adam Solomon, partner at Michelman & Robinson, but he characterized the bill’s potential to pass as “still pretty low.” And with no Republican sponsor yet, it’s not going to go anywhere, said Gary Kibel, partner at law firm Davis & Gilbert.