The takeaway: the US Senate recently introduced three bipartisan bills aimed at regulating the tech industry’s collection and utilization of consumer data by imposing increased liability and improving security standards.
“For years, social media companies have told consumers that their products are free to the user. But that’s not true—you are paying with your data instead of your wallet,” Sen. Mark R. Warner (D-Va.).
Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data Act (DASHBOARD)
DASHBOARD was introduced Monday, June 24th by Sens. Mark R. Warner (D-Va.) and Josh Hawley (R-Mo.). The proposed legislation mandates that commercial data operators with over 100 million monthly active users disclose—to both users and regulators—what data is gathered and how it’s used.
- Users are informed of the data being collected and receive regular valuations of that data
- Annual reports are filed by companies on the total value of their user data and any contracts with third parties they have involving its collection
- Users can delete all, or individual fields, of data collected
- All uses of their data, including indirect uses, must be disclosed
- The Securities and Exchange Commission is empowered (not required) to develop methodologies to calculate the value of user data and enable industry adoption
The Ending Support for Internet Censorship Act (ESICA)
The most significant impact of ending support for the Internet Censorship Act would be on Section 230 of the Communications Decency Act. Section 230 shields tech companies from standard publisher liability for content posted by third parties.
ESICA would only apply to companies with over 30 million U.S. active monthly users, 300 million globally, or with revenue beyond $500 million annually. Companies could be granted immunity by the Federal Trade Commission (FTC) if they can prove their algorithms are nonpartisan “by clear and convincing evidence.”
Internet of Things (IoT) Cybersecurity Improvement Act of 2019
Awaiting full Senate vote after recently passing out of Committee, this act would establish minimum security requirements for all devices purchased by the U.S. government and make coordinated vulnerability disclosure policies mandatory for third party information system providers.
The bill doesn’t identify any minimum requirements and instead directs National Institute of Standards and Technology (NIST) to issue recommendations and the Office of Management and Budget (OMB) to develop agency guidelines based on those recommendations.
For a more in-depth analysis and breakdown, view the Compliance Week article here.