People in a congressional office wave at Mark Zuckerberg as he walks around Capitol Hill. Photo: Jim Watson/AFP/Getty Images
A new data privacy bill proposed by two senators who have aggressively questioned Facebook's data practices mostly includes measures that the company has already embraced.
Why it matters: Even the lawmakers in the United States who are critical of Silicon Valley so far seem uninterested in cracking down too hard on the web companies or introducing the kind of sweeping privacy regulation set to go into effect soon in Europe.
Two new regulations introduced by the bill, sponsored by Sens. John Kennedy (R-La.) and Amy Klobuchar (D-Minn.) are measures that Facebook CEO Mark Zuckerberg already said he had no problem with — or outright suggested himself — when he appeared before Congress this month:
- Requires notifying affected users within 72 hours when a data exposure occurs that violates a company’s policies: “Senator, that makes sense to me,” Zuckerberg told Klobuchar. “And I think we should have our team follow up with — with yours to — to discuss the details around that more.”
- Requires that terms of service be easy for users to read: “Around privacy specifically, there are a few principles that I think it would be useful to — to discuss and potentially codified into law,” Zuckerberg said. “One is around having a simple and practical set of — of ways that you explain what you are doing with data.”
And many of the bill's requirements map closely to what Facebook and other online platforms already do:
- It permits opt-out consent for user data collection, rather than requiring the stricter opt-in approach. Opt-out is how Facebook and other platforms already work. The bill also says websites can deny a user service if they create "inoperability in the online platform" by opting out of data collection.
- It requires companies to provide users with the data that has been collected about them, which it is already possible to download from the Facebook platform — although this tool is limited.
"There’s definitely a lot of work to be done. It doesn’t go far enough, as a baseline matter,” said Ernesto Falcon, the legislative counsel for the Electronic Frontier Foundation, a privacy group. He noted the bill didn't deal with third-party data brokers or have a requirement for opt-in consent.
But, but, but: There are some aspects of the bill that don’t line up with Facebook’s commitments or current policies, as a Klobuchar spokesperson pointed out:
- It requires that users be given options, like deleting their data, when they are notified of a privacy violation.
- It requires a company to get opt-in consent when it makes a change that overrides a user's privacy preference.
Klobuchar’s spokesperson said while Facebook is taking some positive steps to address privacy concerns, the bill matters because it applies its standards to the whole industry.
The photo caption on this story has been corrected to reflect that it is not staffers in the office of Sen. Amy Klobuchar waving to Mark Zuckerberg, but unidentified individuals.