Illustrative image.

Mark Weinstein, Tribune News Service

Last month, Sen. Maria Cantwell, D-Wash., and Rep. Cathy McMorris Rodgers, R-Wash., unveiled a rare government feat: a bipartisan bill that has lawmakers feeling “optimistic” and “fired up.” It’s the American Privacy Rights Act (APRA), and it’s long overdue. The U.S. lags far behind the rest of the world on privacy legislation; 137 of the world’s 194 countries have national privacy laws, according to the United Nations. We’re the G-20 outlier without one. This isn’t the kind of “exceptionalism” Americans should strive for. The proposal, which aims to “make privacy a consumer right” and “give consumers the ability to enforce that right,” comes at a pivotal moment. On April 20, President Joe Biden signed a bill to reauthorize the Foreign Intelligence Surveillance Act. While this law is a tool for safeguarding national security against foreign targets, it also allows collection of the web and cellphone data of hundreds of thousands of Americans and has a history of abuse by intelligence agencies. Meanwhile, the new law forcing a sale or ban of TikTok, meant to prevent foreign access to Americans’ data, provides only narrow protections.

Congress is under enormous pressure to deal with the rise of AI, combat surveillance capitalism and reduce the serious harms tech companies inflict upon kids and teens. There have been other federal privacy proposals, but they have failed in our gridlocked Congress. Led by the chairs of the House and Senate Commerce committees, APRA is the first to gain significant bipartisan and bicameral support. The immediate need for this legislation is clear. Tech companies aren’t the only culprits guilty of misusing our data. In March, General Motors was caught in a scandal when it was found sharing data on its customers’ driving behavior with insurance companies via data brokers — those often massive, multibillion-dollar companies that exist to buy, sell and resell our data. This speaks to part of APRA’s appeal: It’s remarkably broad. It would encompass the private sector, not-for-profits and common carriers, including tech and other companies and medium or large organizations that handle our data. And it proposes extra restrictions on data brokers.

To minimize data sharing, the legislation would prevent companies and organizations from collecting data that is not “necessary” or “proportionate” to the purpose for which the data is collected. In a victory for transparency, entities would be required to disclose the data they have on you and explicitly allow you to edit or delete it. In addition, it would require companies to allow consumers to opt out of targeted advertising and data collection by brokers. And finally, this legislation would allow you to sue companies and seek financial damages for violations of your privacy rights. The bill faces some significant criticisms, including from leading privacy advocates and organizations. A post from the Electronic Frontier Foundation took issue with the bill “preempting existing state laws and preventing states from creating stronger protections in the future,” warning that this condition “would freeze consumer data privacy protections in place.” Caitriona Fitzgerald, deputy director at the Electronic Privacy Information Center, cautioned that any preemptive legislation should be stronger than existing state laws — which APRA currently is not, she suggested. The Electronic Frontier Foundation post argued that, for example, the bill should “limit sharing with the government and expand the definition of sensitive data.” And the ranking member of the House Energy and Commerce Committee, Rep. Frank Pallone Jr., D-N.J., said the bill “could be stronger in certain areas, such as children’s privacy.” These criticisms are valid but not enough so to derail the proposal.