A group of U.S. senators recently introduced new legislation that includes a duty of care concept for online companies. Called the Data Care Act and supported by 15 Democratic senators, the bill would also provide the Federal Trade Commission with rule-making authority to enforce the law. The bill's fiduciary-like standards — duty of care, loyalty and confidentiality — would be a new concept in federal U.S. privacy law. 

One of the bill's co-sponsors is Sen. Maggie Hassan, D-N.H. In a phone interview with The Privacy Advisor, Hassan characterized the bill as "a common sense way to legally obligate online service providers to act in the best interests of consumers so they know their data is being protected and used responsibly. Increasingly, consumers are asked to agree to pages and pages of terms every time they sign up for a new service. It's not reasonable to expect consumers to wade through and understand these terms to provide true informed consent." 

Going further, Hassan said it's also not reasonable for consumers to have to forgo a service because of confusing terms. She explained that it's long overdue for service providers to have certain duties to ensure they protect their users' data. 

Granting the FTC more regulatory power, however, might not pass muster with a largely anti-regulatory GOP. No Republican senators, for example, co-sponsored the bill. All 15 sponsors are Democrats. But Hassan said conversations with Republicans are ongoing. She said there "is broad support for concepts in the bill from privacy scholars" and that "Republicans will find several conservative groups that the support the bill." Hassan said the Internet Association "is committed to working with us toward a bill." 

On the other side of the aisle, some on the left are concerned the bill doesn't go far enough. Sen. Ron Wyden, D-Ore., released his version of a draft bill in November that calls for "radical transparency," including a provision that would send corporate executives to jail. Wyden's bill would cover companies with more than $50 million in revenue and with the personal data of one million or more users. It would create a national "Do Not Track" opt-out website and give the FTC power to fine offending companies for a first offense. 

"I am hopeful we will find a good compromise bill," Hassan said. "One thing that is important to me is that by setting these duties — the duty of care, loyalty and confidentiality — it provides a framework that can be used to judge the behavior of online service providers with regard to how they use consumer data." 

The standard set by the three fiduciary duties also allows for flexibility with a rapidly changing digital ecosystem, as well. Technology is rapidly evolving, and this bill, Hassan said, is designed to set standards, not be overly prescriptive, so that it can address new technological challenges as they arise and evolve. The backbone for this would be the FTC's new enforcement powers. 

Hassan said she hears from her constituents a lot about their online privacy concerns: "People keep hearing about how Facebook, Google and other companies are using their data in ways they didn't know about or anticipate." She also said companies aren't doing enough to protect user data and people "don't seem to have rights under the law and once their data is out there, the harm is already done." 

She expressed concern about this week's revelations by The New York Times that Facebook had previously undisclosed data-sharing agreements with as many as 150 different companies. "These reports about Facebook have gotten Congress's attention in both chambers and on both sides of the aisle," she said. 

Hassan didn't mince words, either, about her concerns about Facebook as a whole. "I have long been concerned about the tension between Facebook's business model and its users' privacy and well being," she said. "I asked [Facebook CEO] Mark [Zuckerberg] about this earlier this year. When you look at their business model, it says its profits depend on keeping users on the platform and sharing as much as possible." She said that's in conflict with users' well being. 

"It's incumbent for those of us in Congress to impose laws" that help better align the interests of online companies with the well being of their users, she said. "No matter how big a company gets," she added, "they still need to be held to the same standards." 

So what will that mean for a federal privacy law in 2019? There's still uncertainty in Washington, but ongoing news reports about online companies' use of personal data and new state laws like the California Consumer Privacy Act of 2018 are propelling interest in a federal law. 

"I think the CCPA has made industry realize that they need to come to the table," Hassan said. "When those forces come together, we have prospects for thoughtful work that will hopefully create a good, strong framework that allows for the regulation of technology."