Legislation to stop tech companies from tracking users online is finding new momentum as Congress seeks to crack down on big tech’s privacy practices.
On Tuesday, Sen. Josh Hawley (R-Mo.) unveiled a “Do Not Track” bill with tough penalties for companies who break its protections, reviving a debate over whether users should be allowed to opt out of the tracking and data collection that comprise the core of many top tech companies’ business models.
Efforts to create a Do Not Track registry have hit roadblocks for more than a decade, but consumer advocates and tech industry critics say Hawley’s bill could find better traction amid a larger backlash against tech behemoths including Google, Facebook and Amazon.
{mosads}
Gabriel Weinberg, the CEO and founder of privacy-oriented search engine DuckDuckGo, told The Hill Americans are more concerned about privacy issues than they were a decade ago, when the first conversations about a Do Not Track registry gained prominence.
He said those efforts occurred before privacy became “mainstream,” pointing to a spate of highly public surveillance- and privacy-related scandals over the past decade.
“There’s a pressure to pass something this year, I think, because there’s a will from people to do something,” Weinberg said.
DuckDuckGo earlier this month released a Do Not Track proposal of its own, calling for legislation that would legally require websites to stop collecting data on users who opt out of certain kinds of “non-essential” tracking.
The Do Not Track registry would be modeled after the Federal Trade Commission’s (FTC) “Do Not Call” list, which allows people to say they no longer want to receive telemarketing calls.
Weinberg said he was approached by Hawley’s office, as well as a few other lawmakers, shortly after putting out the proposal, and supports the freshman Missouri Republican’s bill.
Hawley’s bill breaks with DuckDuckGo’s proposal on some points, but the basic idea is the same: It would allow Americans to opt out of companies collecting their data beyond what is “necessary” for those services to run. And companies would face steep penalties if they fail to respect that decision.
“It’s very simple: It just says that a consumer can make a one-time choice not to be tracked, not to have her data sent to these companies and to stop them from then selling that data to other companies,” Hawley said at a Senate Judiciary Committee hearing on Tuesday. “I think we should make it compulsory and we should give it the force of law. … This puts the ball in consumers’ court, gives them ownership over their own data, gives them the right to control it.”
{mossecondads}
Hawley’s bill would put the force of law behind the list, threatening companies with fines of up to $1,000 per person for “willful or reckless” violations and $50 per day for “negligence.”
Advocates have long pushed for a Do Not Track database.
In 2010, the FTC endorsed a Do Not Track initiative, and lawmakers including Rep. Jackie Speier (D-Calif.) introduced legislation that would have empowered the FTC to create the list.
The efforts to create a federally enforced registry, though, never panned out amid enormous pressure from industry representatives, who could not come to an agreement over what “tracking” means in the first place. The working group tasked with coming to an agreement on how to implement the pro-privacy registry was ultimately unable to come to a consensus after years of wrangling.
Weinberg said that at the time, the tech industry was singing a different tune on privacy. For the most part, the top companies were resistant to any form of federal regulation.
But this year, Hawley is introducing the bill as companies like Google and industry trade groups are getting behind the calls for privacy legislation, seeking to get a seat at the table as efforts to craft a comprehensive privacy law ramp up on Capitol Hill.
The Interactive Advertising Bureau (IAB), an ad business organization, was one of the most fervent opponents of previous Do Not Track efforts. The group, which represents advertising and marketing technology companies, sought to quash the effort entirely.
But IAB last week put out a blog post calling for “Do-Not-Track Plus,” meaning broader federal privacy legislation that imposes “penalties, civil and criminal, for illicit uses of data.” The group noted that they still believe a federal Do Not Track list would promote “an incorrect, noxious notion that consumers are de facto victimized by the use of their data,” but said broader regulations are needed to address the issue.
But there are still questions about the path ahead. Some expected allies to Hawley’s push have not yet gotten on board.
The Electronic Frontier Foundation (EFF), one of the leaders of the push to implement a registry in 2011, said they are still reviewing Hawley’s bill and declined to comment on Tuesday.
Marc Rotenberg, the president of the Electronic Privacy Information Center (EPIC), in an emailed statement to The Hill called the Do Not Track concept “a straightforward approach to a real problem,” but noted that implementation can be “very tricky.” EPIC helped pioneer the “Do Not Call” registry.
Joe Jerome, a policy counsel with the Privacy and Data Project at the Center for Democracy and Technology, told The Hill that he and other privacy activists think Do Not Track legislation would be a “good step forward,” but the conversation about privacy has expanded exponentially. He mentioned that advocates will want bills that deal with third-party data brokers, internet-connected devices and the larger “non-browser” tech environment.
Do Not Track proposals have typically revolved around internet browsers.
“Do Not Track could be a really useful user control but it doesn’t really solve the entire problem,” Jerome, a leading voice on privacy, told The Hill. “It’s something we should’ve been doing 10 years ago. The fact we didn’t means we have a whole lot of other problems.”
“I don’t think a federal Do Not Track solution is comprehensive enough to deal with all of the other political issues at play in the national privacy debate right now,” Jerome continued. “I don’t think it addresses some of the overarching data security, anti-discrimination, dark-pattern [concerns].”
And it’s unclear whether other lawmakers will get behind Hawley’s proposal.
Sen. Richard Blumenthal (D-Conn.), a tech critic, and Sen. Roger Wicker (R-Miss.), chairman of the Senate Commerce Committee, told The Hill that Hawley had not yet approached them about the legislation. The Commerce Committee would likely have some jurisdiction over the bill, as the panel oversees the FTC.
A spokesman for Sen. Ron Wyden (D-Ore.), who included Do Not Track provisions in his draft data privacy legislation released last year, said the office is still reviewing Hawley’s bill.
Blumenthal said he would be open to collaborating with Hawley, noting that he’s also supported Do Not Track efforts in the past, and Wicker said he is interested in it as well but hasn’t heard about it.
Hawley’s office said they would have updates in the future about co-sponsors.
Advocates, though, are hopeful for the effort, even as they caution that it is just one step in addressing privacy issues.
“I do think, again, a Do Not Track proposal with some teeth could make a meaningful difference for consumers’ privacy,” Jerome said.
“I don’t think it’s the end of the conversation.”