Senate Republicans introduced legislation Wednesday that would allow the FTC to oversee data use practices of common carriers and nonprofits. The Setting an American Framework to Ensure Data Access, Transparency and Accountability (Safe Data) Act -- from Senate Commerce Committee ranking member Roger Wicker, Miss., and Senate Consumer Protection Subcommittee ranking member Marsha Blackburn, Tenn. -- would allow the FTC to develop new rules on categories of sensitive data and require the agency to maintain a data broker registry. Consumers would be able to access, correct, delete and port data under the legislation. It would bar companies from processing or transferring user data without user consent.

Pass consumer data privacy legislation this term, Rep. Suzan DelBene, D-Wash., told a Friday Brookings Institute webinar. Data flows are "critical to our shared economic future" and nowhere more important than EU-U.S., she said. The European Court of Justice (ECJ) ruling in Schrems II (see 2007160002) left thousands of smaller companies that relied on trans-Atlantic data transfer mechanism Privacy Shield scrambling, she said: The growing patchwork of state privacy laws won't work and won't lead to a PS alternative. Current tools such as standard contractual clauses, binding corporate rules and recent European Data Protection Board guidance are helpful but don't "take away the need for a successor framework," said Workday Chief Privacy Officer Barbara Cosgrove. Talks on a PS replacement are ongoing, said Sharon Bradford Franklin, a director of the Center for Democracy and Technology security and surveillance project: CDT has heard that one is the extent to which the U.S. government can enact measures by the executive branch or Congress to address ECJ concerns. A comprehensive U.S. consumer data privacy law would be helpful, but surveillance laws must change to benefit Europeans and Americans, she said. The big issue is individual redress, said lawyer Peter Swire. There's frustration on the U.S. side about the issue because the U.S. has a good system via Foreign Intelligence Surveillance Act courts, Swire said: "Get over it." He and other panelists said it might be possible to give Europeans an independent review and some pathway to redress in federal courts administratively, via an executive order on surveillance law. Most agreed any solution must ultimately become law. The U.S. looks "really different" from the rest of the world with regard to privacy protection, and it’s hard to make the case that it's a safe place for data, said Swire. The U.S. and EU are considering whether they can align on tech issues such as data governance and AI, and must get a handle on privacy law first because it underpins those areas, said Cameron Kerry, Brookings distinguished visiting fellow-Center for Technology Innovation. The idea of the recently created Tech and Trade Council is to bring like-minded democratic countries together, he said: The U.S. is "the outlier" because it lacks a privacy regime.

Deployment of 5G will be impeded “if we don’t get privacy right,” GSMA Director-Privacy Boris Wojtan told an Omdia webinar Wednesday. “It’s no wonder that there’s an explosion of data protection laws around the world,” he said. “It’s a good 150 now and counting.” The U.S. has had privacy laws in place since the 1970s but is now “perhaps on the verge of adopting something that’s federal and general -- a bit like the California law, but at the federal level,” said Wojtan. “There will always be new regulations and fines to avoid, but the real driver here is trust.” That law is the California Consumer Privacy Act. More “robust” data privacy “programs” are needed that “are broad and more comprehensive and really look at where the risk is,” Wojtan said.

Three in four businesses that received notices of alleged privacy violations under the California Consumer Privacy Act (CCPA) cured problems in the 30-day period allowed by the law, state Attorney General Rob Bonta (D) said at a livestreamed Monday news conference. The other 25% include businesses under active investigation or within the 30-day window, he said. Bonta declined to say how many businesses received notices or which companies failed to cure and now face probes. He cited a few examples of alleged violations that businesses cured in response to notices, including an unnamed social media platform that users said was too slow to respond to CCPA requests and an online dating app that forced sharing of personal information during sign-up but didn't have a do-not-sell link as required by the law. "Businesses are motivated and able to comply with the law,” and the “vast majority” comply, said Bonta. No “gotchas,” he said. The AG launched an online tool on Monday so consumers can directly notify a business that lacks a clear and easy-to-find do-not-sell link on its website. Such consumer notices “may” trigger the 30-day cure period, he said. Bonta said he hopes for higher uptake from consumers clicking do-not-sell links to get CCPA protections. California started enforcing CCPA about a year ago.

House Commerce Committee Democrats should hold hearings and markups to develop a “strong federal privacy framework” for data, said ranking member Cathy McMorris Rodgers, R-Wash., and House Consumer Protection Subcommittee ranking member Gus Bilirakis, R-Fla., marking one year since EU-U.S. Privacy Shield invalidation (see 2107140020). They called the invalidation a “major setback for the privacy protections of Europeans and Americans and a significant disruption to cross-border data flow.” They urged the committee to show leadership in protecting American data and “finally enact a national privacy standard.” The office for House Commerce Committee Chairman Frank Pallone, D-N.J., didn’t comment. Senate Commerce Committee ranking member Roger Wicker, R-Miss., and Senate Consumer Protection Subcommittee ranking member Marsha Blackburn, R-Tenn., joined Rodgers and Bilirakis in a separate letter Friday urging President Joe Biden to “prioritize comprehensive data privacy legislation as part of the Administration’s agenda.” They called for a federal standard to replace a patchwork of state privacy laws.

Ohio lawmakers proposed a comprehensive data privacy bill that would apply to businesses with at least $25 million revenue in the state. “Federal and state laws do not adequately protect how companies use your personal data and what rights you have to that information,” Lt. Governor Jon Husted (R) said Tuesday on the bill (HB-376) introduced Monday. “Without action in this space on the federal level, it’s important that our state take the lead.” Rep. Rick Carfagna (R) said his bill “will balance reasonable privacy standards to protect Ohioans with less bureaucracy and regulation on businesses.” The plan lists data rights for consumers including a right to delete personal data and to request that businesses not sell such information. Ohio’s attorney general would exclusively enforce HB-376, which has no private right of action. The bill would give enhanced legal protection for Ohio businesses that adopt the National Institute of Standards and Technology privacy framework. Husted’s office shared supportive statements Tuesday from Charter Communications, the Ohio Cable Telecommunications Association and several business groups including the Ohio Business Roundtable and Ohio Chamber of Commerce. Colorado enacted the third state privacy law last week (see 2107080004).

Colorado is the third state with a comprehensive privacy law, after Gov. Jared Polis (D) signed SB-190 Wednesday, following California and Virginia (see 2106080066). Polis said he hopes his state’s law can become a template for a national law. “In the haste to pass this bill, several issues remain outstanding,” which will require “clean-up legislation next year,” noted Polis: Talks started among legislators and stakeholders. The governor asked negotiators to “strike the appropriate balance between consumer protection while not stifling innovation and Colorado’s position as a top state to do business.” In coming months, the Computer and Communications Industry Association hopes policymakers engage stakeholders "to address implementation issues, so that businesses have sufficient clarity for meeting their new compliance obligations," said CCIA State Policy Director Alyssa Doom.

The largest voice service providers are now using secure telephone identity revisited and signature-based handling of asserted information using tokens (Stir/Shaken), FCC acting Chairwoman Jessica Rosenworcel announced Wednesday. That was the deadline for the largest providers to implement the caller ID authentication framework. A Consumer and Governmental Affairs Bureau report Tuesday said 207 providers have certified complete implementation (see 2106290060). Smaller providers were granted an extension until June 30, 2023, and the commission is considering shortening that deadline by one year (see 2105200072). “While there is no silver bullet in the endless fight against scammers, STIR/SHAKEN will turbo-charge many of the tools we use in our fight against robocalls,” Rosenworcel said in a statement: “This is a good day for American consumers who -- like all of us -- are sick and tired of illegal spoofed robocalls.” T-Mobile said Wednesday it's filing a certification of completion at the FCC saying all calls on its network are now compliant with the requirement. “We were first to implement number verification in 2019 and today, all calls originating on the T-Mobile network are 100% STIR/SHAKEN compliant, giving our customers peace of mind that their calls are protected against scammers and spammers,” said Jon Freier, executive vice president-T-Mobile Consumer Group.

A privacy measure under consideration in Connecticut “contains unworkable and inconsistent provisions and would substantially harm both businesses and consumers,” the Association of National Advertisers, American Advertising Federation, American Association of Advertising Agencies and Interactive Advertising Bureau wrote. Tuesday's letter was emailed to journalists Wednesday. The groups worry of rushing to passage of SB 1202 during a two-day special session, asking its provisions be removed from a budget rider.

Facebook's oversight board will review company policy on sharing private residential information, it said Tuesday. The social media giant asked the panel for recommendations about its policy on privacy violations and image privacy rights, it said. The request noted potential harms linked to releasing personal information such as addresses, including “doxing” (releasing documents) for revenge or stalking. Facebook must send panel recommendations through its official policy development process and give regular updates; it must publicly respond and follow up on recommendations within 30 days of receiving them, the board said. It wants input by July 9 whether free speech is unduly restricted if Facebook bars users from sharing any private residential information; benefits and limitations of automated technologies in enforcing the policy; and how the company should treat private information about a public figure and how that should be defined.