Get ready for a lobbying furor, because there’s suddenly a plausible, bipartisan, bicameral push to finally give the U.S. a comprehensive data-privacy law, going way beyond the protections for medical and children’s data that already apply countrywide.
The bill, which will be formally introduced later this month, is called the American Privacy Rights Act, or APRA. It was unveiled yesterday (yes, on a Sunday) by Rep. Cathy McMorris Rodgers (R-Wash.) and Sen. Maria Cantwell (D-Wash.), who respectively chair the House and Senate Commerce Committees. And its contents look awfully familiar from my vantage point here in Europe, home of the General Data Protection Regulation (GDPR).
APRA would let Americans opt out of targeted advertising and minimize the personal data that companies hold on them. They would be able to tell companies to give them access to their data, to correct or delete it, and to demand a downloadable version of their data that they could port over to a rival service provider. Companies would be unable to pass on sensitive personal data without the subject’s express consent and be banned from using “dark patterns” on pages where users choose their privacy preferences to subliminally divert them from exercising their new rights.
Consumers would gain the right to opt out of companies making algorithmic decisions about them in crucial areas like employment, housing, and education. Companies would have to abide by stronger data security standards, to protect people’s data—with executives bearing ultimate responsibility, though it should be noted that small businesses (with revenues under $40 million) that don’t collect much data would remain exempt from the bill’s provisions. The law would enable enforcement by the Federal Trade Commission and in private suits by victims.
Of course, many of these rights are already available to Americans, but only in certain states. The absence of a comprehensive federal data privacy law has resulted in an increasingly confusing patchwork of state laws. One example: California, Colorado, Connecticut, Utah, and Virginia all let people opt out of targeted advertising, but only California mandates the opt-out wording and demands that the opt-out link appear on a service’s homepage. And these are just the states that already have such laws in place—over the next two years, Delaware, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, and Texas are all due to see their own takes on a comprehensive privacy law come into effect.
APRA would almost completely flatten the landscape by preempting all state privacy laws, except in specific legal domains including civil rights, consumer protection, and contracting. That’s a big deal for tech firms, as it means predictability (the GDPR provided the same benefit in the EU when it came into effect nearly six years ago).
However, it’s also a big deal for APRA’s prospects in Congress. The last big push of this kind was the American Data Privacy and Protection Act (ADPPA) of 2022, which was also a Rodgers coproduction, but which Cantwell sunk because it didn’t preempt state laws, and would have given Americans in general weaker protections than those given to, say, Californians. The new proposal’s backers promise it will be “stronger” than any state law.
“This landmark legislation gives Americans the right to control where their information goes and who can sell it,” Rodgers said in yesterday’s statement. “I’m grateful to my colleague, Senator Cantwell, for working with me in a bipartisan manner on this important legislation and look forward to moving the bill through regular order on Energy and Commerce this month.” Rodgers also noted that Americans “overwhelmingly want these rights,” while Cantwell described the agreement as “the protections Americans deserve in the Information Age.”
Indeed, Pew Research’s polling consistently shows that a strong majority of American adults do want more regulation of consumer data, be they Democrats or Republicans (though Democrats are a little likelier to be clamoring for more rules).
Big Tech has also been overtly keen on getting a proper federal privacy law in place—Meta’s Mark Zuckerberg, Microsoft’s Satya Nadella, and Apple’s Tim Cook have all called for an American GDPR of sorts over the past several years—and Microsoft privacy chief Julie Brill provided the sector’s first reaction to the APRA proposal late last night. “The U.S has long deserved to join the rest of the world in establishing comprehensive privacy legislation,” Brill (a former FTC commissioner) posted on X, with applause for Cantwell and Rodgers.
But again, now comes the lobbying. Everyone wants a predictable, harmonized regulatory landscape, still, I’m guessing not everyone wants American consumers to get full EU-grade privacy rights that limit what companies can do with the personal data they hold, particularly as the AI explosion makes those resources more valuable than ever. More news below.
David Meyer
Want to send thoughts or suggestions to Data Sheet? Drop a line here.
NEWSWORTHY
Meta’s AI labeling. AI-generated media will from next month have to be labeled as such on Facebook and Instagram, parent company Meta has announced. As the Guardian reports, this marks a big change from Meta’s current policy, in which only videos have to be marked when AI was used to alter them to suggest that someone said something they didn’t (a stance that Meta’s Oversight Board recently criticized). The new “Made with AI” label will apply to videos, images, and audio, based on the uploader’s tagging or new industry-standard AI watermarks.
TSMC’s $65 billion Arizona plan. TSMC now plans to invest over $65 billion in three (rather than $40 billion in two) Arizona semiconductor plants, with the expansion of its investment being partly down to hefty funding from the CHIPS Act. As CNBC reports, the Biden administration announced the preliminary agreement this morning, with the market-leading Taiwanese contract chipmaker being set to receive up to $6.6 billion in direct CHIPS funding, plus around $5 billion in loans. (Bonus read: Dutch chipmaking equipment manufacturer ASML has agreed to U.S. demands that it stop servicing some of the machines it has sold to Chinese chip firms.)
Web Summit cofounder returns. Paddy Cosgrave, who stepped down as Web Summit CEO last October after criticizing Israel’s response to Hamas’s attacks, is now CEO again, Reuters reports. Cosgrave had been replaced by former Wikimedia Foundation chief Katherine Maher, who subsequently oversaw November’s Web Summit in Lisbon, but Maher soon left to become NPR’s new CEO. Cosgrave announced his return this morning in an X post with no mention of the controversy that triggered his departure.
ON OUR FEED
“I think the terrible payout of streaming services has mortally wounded a whole tier of artists that make being an artist unsustainable … We’ve had enough time for the whole ‘All the boats rise’ argument to see they don’t all rise. Those boats rise. These boats don’t. They can’t make money in any means. And I think that’s bad for art.”
—Music legend Trent Reznor tells GQ he thought he might be able to make a difference when working with Apple last decade, but became discouraged. (He and collaborator Atticus Ross also revealed that a new Nine Inch Nails album is in the works.)
IN CASE YOU MISSED IT
Open source AI is booming, but OpenAI’s GPT-4 is still the big winner with corporate customers—for now, by Sharon Goldman
Elon Musk’s leadership beginning to splinter Tesla loyalists as car sales drop: ‘He needs to focus and not be complaining or ranting about borders,’ by Christiaan Hetzner
China’s EV competition is so fierce that Volkswagen ‘cannot keep up’ and should avoid ‘utopian expectations,’ says its CEO, by Steve Mollman
Why I’m yet another woman leaving the tech industry, by Chelsey Glasson (Commentary)
BEFORE YOU GO
RIP Mahbod Moghadam. Genius cofounder Mahbod Moghadam has passed away at the age of 41. He died last month, the result of complications associated with a recurring brain tumor, but the news only caught hold in the tech world over the weekend, TechCrunch reports. As well as founding the song-lyric site, which was originally called Rap Genius, Moghadam also cofounded a blockchain-based encyclopedia called Everipedia and was most recently entrepreneur-in-residence at Mucker Capital.
This is the web version of Data Sheet, a daily newsletter on the business of tech. Sign up to get it delivered free to your inbox.
