Facebook may not be able to ride out its bad news cycle scot-free after all. On Tuesday, Sens. Amy Klobuchar, a Democrat from Minnesota, and John Kennedy, a Republican from Louisiana, released a sweeping new bill that, if passed, would impose strong new regulations on companies like Facebook and Google that collect data on users.
The Social Media Privacy Protection and Consumer Rights Act of 2018 (you can read the whole thing here) would require that websites provide users a copy of the data that’s being collected on them, free of charge, as well as a list of who has had access to their data, either through a sale or simply by it being made available. The new bill also proposes that companies disclose how personal data collected about users is leveraged—for example, through targeted advertising—and how employees of the company have access to it. And if a website does mishandle users’ personal data, the internet company would be required to alert users within 72 hours—a far tinier window than what happened after Facebook learned user data bad been improperly obtained by the voter analytics firm Cambridge Analytica. When Facebook learned in 2015 that tens of millions of its users had their data harvested by app developers who later transferred that data to Cambridge Analytica for use in voter targeting on Sen. Ted Cruz’s presidential campaign, the company decided not to alert users about what happened until more than two years later, when the Guardian and the New York Times reported on the incident and reportedly learned that the firm had not deleted the data even though it had previously said it did.
The proposed legislation comes two weeks after the House and Senate grilled Facebook CEO Mark Zuckerberg in two hearings on how the company treats the personal data of the Americans who trust it. Republicans and Democrats were unhappy with the CEO, who spent the hearings promising to clean up his company’s act. But Facebook has made promises about respecting user privacy before—a troubled history that gives lawmakers good reason to push for regulation now.
Until 2014, Facebook allowed developers to extract data not only from people who downloaded their apps but from all their friends, too—a practice that Cambridge Analytica’s partners were far from alone in pursuing. And it wasn’t until last month that Facebook admitted that it believes that most users have had their public profile information harvested by third parties via a Facebook feature that allowed users to search for other users via someone’s phone number or email address, which Facebook says has been abused by malicious hackers that would scour Facebook using lists of emails and phone numbers they already had.
Facebook already has a tool that lets users download some of the data that the company collects on them, like photos and videos uploaded, facial recognition data, and history of searches—it even includes what advertising categories Facebook has put you in. Still, the current download doesn’t include your browsing data or what information about you an advertiser may have uploaded months ago, as Wired points out. The new proposal would require companies like Facebook to hand over a copy of the personal data it processes on people—Facebook wouldn’t get to pick and choose which bits it wants to share.
There’s currently no comprehensive digital privacy law in the United States, unlike in Europe, where a new sweeping suite of online privacy rules is slated to go into effect at the end of May. Companies aren’t currently required by federal law to alert users if their data had been stolen or improperly removed from a platform, nor are they required to share what information they collect on people or how it’s used.
The momentum in Congress to do something to rein in the sprawling online data collection industry appears to have some support on both sides of the aisle, though it’s yet unclear how deep it goes on either side. The next move belongs to constituents, activists, and advocates.