Privacy Bill Essentials: Social Media Privacy Protection and Consumer Rights Act of 2021

Intending to strengthen the privacy of consumers’ online data, U.S. Senators Amy Klobuchar (D-MN), John Kennedy (R-LA), Joe Manchin (D-WV), and Richard Burr (R-NC) have reintroduced the Social Media Privacy Protection and Consumer Rights Act of 2021. The Act aims to improve the transparency of online platforms, strengthen consumer options in the event of data breaches, and ensure that companies comply with privacy policies that protect consumers.

To whom would it apply?

The Act would apply to any online platform that collects personal data from the online behavior of an online platform user. 

An online platform means any public-facing website, web application, or digital application (including a mobile application); and includes a social network, an ad network, a mobile operating system, a search engine, an email service, or an internet access service.

What types of information would it cover?

The Act defines personal information as individually identifiable information about an individual collected online, including location information sufficient to identify the name of a street and a city or town, including a physical address; an email address; a telephone number; a government identifier such as a Social Security number; geolocation information; the content of a message; and data governed by the Health Insurance Portability and Accountability Act (HIPPA) and the Gramm-Leach-Bliley Act (GLBA). 

What rights would it create?

The Act would create a number of consumer rights, including:

• The right of users to opt-out and keep their information private by disabling data tracking and collection;
• Provide users greater access to and control over their data;
• Require terms of service agreements to be in plain language;
• Ensure that users see what information about them has already been collected and shared;
• Require users to be notified of a breach of their information within 72 hours;
• Offer remedies for users when a breach occurs; and
• Require online platforms to have privacy programs.

What obligations would it impose?

Under the Act, online platforms will be required to:

• Inform users that, unless otherwise elected, personal data of users produced during the online behavior of users will be collected and used by the operator and third parties;
• Provide users the option to specify their privacy preferences;
• Provide users with the terms of use for the online platform;
• Establish and maintain a privacy or security program for the online platform;
• Publish a description of the privacy or security program that details how the operator will use the personal data of the user of the online platform, including requirements for how the operator will address privacy risks associated with the development of new products and services; and that includes details of the access that employees and contractors of the operator have to the personal data of a user of the online platform, and internal policies for the use of that personal data;
• If requested by a user, offer a copy of the user’s personal data they processed free of charge and in an electronic and easily accessible format, including a list of each person that received the user’s data; and
• Audit the privacy or security program of the online platform once every two years.

The Act prohibits online platforms from introducing a new product, or changing the data privacy or security program of the platform in a way that overrides the privacy preferences of users unless the platform has informed users of the change and obtained their affirmative express consent.

How would it be enforced?

The Act would be enforced by the Attorney General. Any violation of the duties established by the Act would be treated as violations of a Federal Trade Commission (FTC) rule defining unfair or deceptive acts or practices. The Attorney General of a state must notify the FTC in writing that the Attorney General intends to bring a civil action before initiating suit, and the FTC may intervene.

When would it go into effect?

The Act would go into effect 180 days after the enactment date. An individual user of a covered online platform before the effective date will be treated as if he or she had become a user of the online platform on the effective date. The Act does not apply to any conduct that occurred before the effective date.

Where does it stand? 

The Act has been read twice and is now referred to the U.S. Senate Committee on Commerce, Science and Transportation.