Blog Series: U.S. Privacy Regulations  - The CONSENT Act

Comment
Recent revelations about Facebook’s data privacy practices and Cambridge Analytica’s potentially nefarious use of Facebook data has a reactive Congress up in arms and poised to take action.
Ed Markey, Senator from Massachusetts, and Connecticut Senator Richard Blumenthal
iStock-957845322recently introduced the CONSENT (Customer Online Notification for Stopping Edge-provider Network Transgressions) Act. The CONSENT Act aims to require Edge-providers, or those that provide online services, provide clearer opt-in permissions from users to use, sell or share their data.

The Federal Communications Commission (FCC)
defines an Edge-provider as: “Any individual or entity that provides any content, application, or service over the Internet, and any individual or entity that provides a device used for accessing any content, application, or service over the Internet.”
 
Until now, commonly known Edge-providers like Google, Facebook, and Amazon have not been required to obtain clear permission from its users that would allow them to use, share, or sell their personal data.
 
This could change if the CONSENT Act becomes law, ushering in similar yet less comprehensive data privacy regulations to those included in the European Union’s new GDPR (General Data Protection Regulations.)

What Does the CONSENT Act Propose?
In his remarks about the bill, Senator Markey stated, “America deserves a privacy bill of rights that puts consumers, not corporations, in control of their personal, sensitive information. The avalanche of privacy violations by Facebook and other online companies has reached a critical threshold, and we need legislation that makes consent the law of the land. Voluntary standards are not enough; we need rules on the books that all online companies abide by that protect Americans and ensure accountability…”

The CONSENT Act proposes new regulations in the following areas:

  • Edge-providers must obtain opt-in consent from users to use, share, or sell users’ personal information (currently the model is one of opting-out, not opting-in)
  • Edge-providers must develop reasonable data security practices
  • Edge-providers must notify users about all collection, use, and sharing of users’ personal data
  • Edge-providers must notify users of data breaches
The Federal Trade Commission (FTC) would be in charge of enforcement and be required to “establish privacy protections for customers of online edge providers, and for other purposes.” 
 
It’s important to note that Internet Service Providers (ISPs), also known as network providers, do not fall within the purview of the CONSENT Act, in the current iteration of the bill.
Yes! I Want a FREE Compliance Consultation What Does this Mean for Nonprofits and Associations?

First, it is important to note that, the FTC does not have jurisdiction under the FTC Act over most nonprofit organizations, although it does have jurisdiction over sham charities or other nonprofits that actually operate for profit.

However, good data stewardship is something any organization should incorporate into its daily operations.  Staying abreast of current and potential regulations at the state and federal level is critical to any organization.

While the CONSENT Act has not yet passed, and may not pass, there is clear momentum for stronger data/privacy regulations within the U.S. government given recent high profile data privacy issues and the global impacts of GDPR.  You can track the status of this Bill here.

The CONSENT Act is not the only recent privacy-themed bill that has been introduced. U.S. Senators John Kennedy of Louisiana and Amy Klobuchar of Minnesota have their own bill titled the Social Media and Privacy Rights Act of 2018. Interestingly, this bill does not require explicit consent (opt-in rather than opt-out) whereas the CONSENT Act does.  You can track the status of this Bill here.

There are also regulations being introduced and passed at the state level. Vermont, became the first state to institute a law aimed at “data brokers” and sets forth obligations to protect Vermonters.  California has introduced “The California Consumer Privacy Act of 2018” which, if passed, will give every Californian the ability to control the use, including the sale/disclosure, of their personal data.  The Vermont law can be found here and the California Bill can be found here.

Those who watch the data privacy space feel the CONSENT Act is the more comprehensive and well thought out bill. Regardless, momentum for increased consumer and personal data privacy protections is growing rapidly.

While the greatest burden might fall on the larger, global companies through diminishing online ad targeting and increased security costs, associations and nonprofits need to recognize that data privacy and IT security will soon become more and more essential to smaller organizations.

The recent Cambridge Analytica/Facebook controversy, GDPR and the increasingly complex digital landscape make it imperative for all organizations to protect their data through stronger security measures and better IT best practices.

Partnering with an IT expert to improve your security and infrastructure integrity is a sound investment, given the damage a data breach could cause your brand and the people that have come to trust it.

American Technology Services can help your organization improve your security capabilities by combining your existing resources with our experience and expertise.

We provide a host of security services, including consulting, security awareness training, vulnerability assessments, penetration tests, continuous monitoring and incident response services.

We’ve helped scores of organization’s just like yours become more secure and compliant.

Don’t wait for a data breach (remember, It's not if, but when) have to play catch up to newly introduced regulations. Reach out to us today. We’d love to hear from you.