This past Sunday, news broke that Senate Commerce Committee Chair Maria Cantwell (D-Wash.) and House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.) announced a breakthrough and bipartisan bill for national privacy protections. 

Dubbed The American Privacy Rights Act, which you can read in its entirety here, the bill is pitched as:

• Establishing Foundational Uniform National Data Privacy Rights for Americans

• Gives Americans the Ability to Enforce Their Data Privacy Rights

• Protects Americans’ Civil Rights

• Holds Companies Accountable and Establishes Strong Data Security Obligations

• Focuses on the Business of Data, Not Mainstreet Business

The pitch sounds good - but where does the draft bill actually stand? Will it get diluted as politicians negotiate and compromise on the details, or will it be the platonic ideal of data dignity for all we at ETP advocate for? Here are our top three takeaways.

Takeaway 1: Celebrate the movement of obligations of responsible data practices closer to Businesses, reducing the cognitive load on Consumers

At The Ethical Tech Project, we believe that consumers can and should better understand how their personal data powers the Internet - but that the fundamental responsibility to ethically manage that data is with businesses. 

A key lesson learned from European privacy legislation is that informed consent from consumers to process their data takes much work. Opt-in cookie consent banners just didn’t get us there. People swat away annoying cookie banners and opt-in to data processing without truly understanding what they signed up for.  

Is the consumer genuinely informed by the ten-page legalese of a privacy policy? Is clicking a cookie banner as fast as possible to get to the underlying content truly giving consent? We think not.

Any move that reduces consumers' cognitive load and places obligations on businesses that have been working with data for decades should be celebrated. 

Specifically, the draft American Privacy Act does this in three ways:

1. Data Minimization: Processing of personal data should be proportional to the specific product or service requested by the individual. For example, don’t collect more data than you need. 

2. Transparency: Privacy communications need to be clear and easy to understand. The federal bill places obligations on businesses to list information on third parties that process data and names of any data brokers that receive the data

3. Dark Patterns: Businesses shouldn’t get tricky about getting individuals to consent to data processing. Don’t interfere when it comes to notice, consent, or choice - be clear and transparent. 

Share

Takeaway 2: Three cheers on more power to consumers and recognition that their voice is important.

The central reason why we at The Ethical Tech Project have advocated for a Federal privacy law versus the collection of state laws we have today is that a federal privacy law gives regulators clarity to defend privacy, introduces uniformity for businesses on how they must behave, and situates the United States as an innovator in extending ethical technology principles globally.

The draft of the American Privacy Act is a step in the right direction. Let’s break it down:

1. Provides clarity by establishing a set of Federal Rights to data privacy—namely, the right to access, the right to deletion, the right to correction, and the right to data portability.

2. Introduces uniformity by covering an expansive set of businesses, not just any company with more than $40 million in annual revenue, but any business that processes covered data of more than 200,000 individuals. Vital protection clauses like the prohibition on denial of service and waiver of rights - an explicit prohibition against retaliation - make clear to all organizations (as the law covers nonprofits) that the consumer's voice is important and a bonafide right.

3. Establishes the United States as an innovator in data privacy by including a private right of action. With this act, individuals can seek damages, injunctive relief, declaratory relief, and reasonable legal and litigation costs - a surprising inclusion given the bipartisan nature of the bill and Republican long-standing opposition to private right of action. The bill would set an innovative standard that will resound globally.

Takeaway 3: Applause that the bill rightly connects data privacy to data fairness.

One of our core Ethical Data Principles is Fairness: 

Businesses must measure and mitigate over the impact of data systems and the outputs in machine learning, intelligent systems, and artificial intelligence that may have disparate impact or bias in application.

Read Our Ethical Data Principles

We recently wrote that “we believe executives trained in the world of privacy should be top candidates for senior AI roles in companies” - acknowledging that privacy professionals are well-placed to tackle ethical AI issues and that privacy is a core component of ethical AI.

So let’s give a big round of applause to the authors of the draft American Privacy Act and their position on ethical AI issues as hand-in-hand with privacy issues! While the bill only mentions “artificial intelligence” twice, it contains 32 mentions of “algorithm” and comprehensively defines the term Covered Algorithm as:

A computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision-making by using covered data, which includes determining the provision of products or services or ranking, ordering, promoting, recommending, amplifying, or similarly determining the delivery or display of information to an individual.

In our view, the bill’s authors are rightly ensuring that “artificial intelligence” refers to the core mathematics that has been in the markets for years, not just the generative AI LLM techniques that have recently emerged.

Here are a few specific ways that the act injects privacy into the artificial intelligence discussion:

• Civil Rights: AI outputs shouldn’t discriminate on the basis of race, color, religion, national origin, or disability. This is a clear indicator to businesses that addressing bias in AI outputs is an important issue. 

• Understand any potential harm to individuals from AI. Annual risk assessments will be required where AI touches important outcomes like decisions that affect minors or major life events.

• When AI impacts “consequential decisions,” such as housing, employment, education, health care, or insurance, individuals can opt-out entirely from the algorithm.

What do you think about the American Privacy Rights Act? Does it have a chance of becoming law in an election year? Let us know in the comments!

Leave a comment

What We’re Reading on Ethical Tech This Week

• The Hill - 5 things to know about the bipartisan data privacy bill

• Reuters - US lawmakers strike deal on data privacy legislation

• TechCrunch - EU and US set to announce joint working on AI safety, standards & R&D

• NYTimes - How Tech Giants Cut Corners to Harvest Data for A.I.

• DFP - GM faces 2nd lawsuit over driver data collection without consent

• AdExchanger - Arielle Garcia Is The New Director Of Intelligence At Check My Ads