Two House Democrats have reintroduced a sweeping privacy bill that would impose broad restrictions on companies' ability to use online data for ad targeting.
The 143-page Online Privacy Act, introduced by California Reps. Anna Eshoo and Zoe Lofgren, would require that companies obtain consumers' explicit consent before collecting or drawing on their “personal information” in order to serve them with targeted ads, or to personalize content.
The bill authors define personal information broadly enough to cover the type of data typically used for ad targeting. The definition includes de-identified data, as well as data that is reasonably linkable to a device or individual.
One of the bill's many provisions would give consumers the right to access, edit and delete data about themselves.
Another would require companies to inform users about data breaches as well as what the authors call “data abuses” -- which would include data processing by third parties in unexpected ways.
The bill is supported by advocacy groups including Public Knowledge, the Electronic Privacy Information Center and Accountable Tech.
The measure is just one of numerous recently unveiled privacy bills.
Earlier this month, two House Republicans floated a draft of the "Control Our Data Act" -- a much narrower measure that would allow consumers to access, correct and delete personal information, as well as opt out of its collection, use or sharing.
That bill's definition of personal information excludes pseudonymized data. While the draft doesn't offer examples of pseudonymized data, the ad industry has often said data relied on for ad targeting -- including cookies and device identifiers -- is pseudonymous.
A separate Republican Senate privacy bill, the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act,” would require companies to allow consumers to access, edit, delete and port data that's “reasonably linkable” to them, or to their devices.
That measure would also require companies to obtain consumers' affirmative consent before processing or transferring their “sensitive” information -- which would include financial account numbers, persistent identifiers, precise geolocation data, and data revealing people's race, ethnic origin, religion and sexual orientation.