Last month, Sen. Marco Rubio (R-FL) joined the growing list of Members of Congress, advocacy groups, and industry players who have released privacy bills. Rubio’s bill, the American Data Dissemination Act (ADD Act), exists primarily to relieve Congress of the January 20, 2020 deadline when the California Consumer Privacy Act (CCPA) takes effect. Absent action by Congress, the CCPA, the subject of a furious lobbying campaign to weaken it, will become the strongest consumer privacy law in the United States less than a year from now.
To say that privacy advocates are skeptical of the Rubio bill is an understatement. For starters, the bill makes no mention of stringent enforcement, heightened transparency, or timely notification of violations. Other bills from Senators Wyden (D-OR) and Schatz (D-HI), however, implement sensible provisions. These include defining sensitive information and requiring the Federal Trade Commission (FTC) to establish a Bureau of Technology, which would give the FTC more resources to investigate companies. However, Rubio’s bill maintains one stark difference: state preemption. Rubio has made it clear that his bill would preempt state privacy bills like California’s in favor of a federal privacy standard.
In comparison to the CCPA’s strict provisions, such as enforced rulemaking authority and timely notifications to consumers, Rubio’s bill would only give the FTC authority to craft privacy rules if Congress is unable to do so after more than two years of debate.
Rubio justifies this prolonged timeline by suggesting that Congress needs more time to make informed decisions to protect consumers and promote innovation. Rubio claims this approach is sensible because it ensures a non-partisan approach from the experts who are informed on the best course of action.
In reality, Rubio’s bill is a poor option for consumers and companies. For starters, the bill would only allow the FTC to craft privacy rules based on the guidelines in the Privacy Act of 1974. While the Privacy Act may have been timely back in 1974, it is hopelessly antiquated and unable to account for modern technological advancements. The Rubio bill fails to address issues like data minimization or data security standards and fails to broadly define personal information.
Ultimately, the Rubio bill exists to address industry concerns about a “patchwork of privacy bills.” It fails to add any substantive new consumer protections, despite the voluminous evidence that such protections are needed. Rather, the Senator suggests that in order to create a comprehensive data privacy bill, Congress needs more time—time which consumers, in this day of record-setting data breaches and privacy threats, simply do not have.