Senator Tammy Baldwin's office issued the following yesterday:

12.13.18

U.S. Senator Tammy Baldwin Joins Colleagues to Help Protect People’s Personal Data Online

Data Care Act will stop websites and apps from using personal data against users, protect user information from hacks and hold companies accountable for misuse

WASHINGTON, D.C. – U.S. Senator Tammy Baldwin joined 15 of her Senate colleagues in introducing new legislation to protect people’s personal data online. The Data Care Act, led by Senator Brian Schatz (D-HI), would require websites, apps and other online providers to take responsible steps to safeguard personal information and stop the misuse of users’ data.

“Far too many times, we have seen online providers fail to meet their users’ expectations about how their personal data will be collected, used and protected. The current system is skewed against consumers and we have to fix it,” said Senator Baldwin. “The Data Care Act will provide clear, reasonable rules of the road on user data, and hold companies who fail to follow them accountable.”

“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same. Our bill will help make sure that when people give online companies their information, it won’t be exploited,” said Senator Schatz.

Doctors, lawyers and bankers are legally required to exercise special care to protect their clients and not misuse their information. While online companies also hold personal and sensitive information about the people they serve, they are not required to protect consumers’ data. This leaves users in a vulnerable position; they are expected to understand the information they give to providers and how it is being used – an unreasonable expectation for even the most tech-savvy consumer. By establishing a fiduciary duty for online providers, Americans can trust that their online data is protected and used in a responsible way.

The Data Care Act establishes reasonable duties that will require providers to protect user data and will prohibit providers from using user data to their detriment:

• Duty of Care – Must reasonably secure individual identifying data and promptly inform users of data breaches that involve sensitive information;
• Duty of Loyalty – May not use individual identifying data in ways that harm users;
• Duty of Confidentiality – Must ensure that the duties of care and loyalty extend to third parties when disclosing, selling or sharing individual identifying data;
• Federal and State Enforcement – A violation of the duties will be treated as a violation of an FTC rule with fine authority. States may also bring civil enforcement actions, but the FTC can intervene.
• Rulemaking Authority – FTC is granted rulemaking authority to implement the Act.

“Free Press Action welcomes the important contributions the Data Care Act makes to a growing list of good ideas on privacy in the Senate. The bill shifts away from a notice and choice framework alone, where internet users bear all the responsibility and risk of protecting themselves, with few remedies for violations. Instead it moves towards putting the duty on companies and other data collectors where it belongs, to actually prevent such harmful exploitation and honor people's rights. It also does the right thing by empowering the FTC to make rules and impose penalties, and let’s state attorneys general enforce the new protections too. We thank Senator Schatz and all the co-sponsors for putting so many ideas on the table, pushing the debate towards even more comprehensive laws,” said Sandra Fulton, Government Relations Director for Free Press Action.

“We commend Senator Schatz for tackling the difficult task of drafting privacy legislation that focuses on routine data processing practices instead of consumer data self-management. It signals an important shift in how Congress views consumer privacy issues and foreshadows a serious privacy debate in 2019,” said Michelle Richardson, Director of the Privacy and Data Project at the Center for Democracy and Technology.

“EFF thanks Senator Schatz for his leadership on protecting consumer data privacy. We generally favor legislation requiring large companies to serve as fiduciaries for their consumers' data, and to satisfy duties of loyalty, confidentiality, and care for their users. We look forward to working with the Senator to improve his bill and to advance information fiduciary protections that will meet the needs of Internet users and adequately safeguard consumer data privacy as a part of comprehensive privacy legislation,” said India McKinney, Legislative Analyst for the Electronic Frontier Foundation (EEF).

In addition to Senators Baldwin and Schatz, the Data Care Act is co-sponsored by Senators Maggie Hassan (D-NH), Michael Bennet (D-CO), Tammy Duckworth (D-IL), Amy Klobuchar (D-MN), Patty Murray (D-WA), Cory Booker (D-NJ), Catherine Cortez Masto (D-NV), Martin Heinrich (D-NM), Ed Markey (D-MA), Sherrod Brown (D-OH), Doug Jones (D-AL), Joe Manchin (D-WV) and Dick Durbin (D-IL).