From the draft bill:
"SEC. 111. ANTI-DISCRIMINATION.
(a) PROHIBITED CONDUCT.— A covered entity may not, through the collection use or sharing of personal information, discriminate against or make an economic opportunity unavailable on the basis of race, color, religion, national origin, sex, age, political ideology, or disability of a persons or class of persons.
(b) EXCEPTIONS.—Nothing in this section shall prohibit a covered entity from using or sharing personal information for the purpose of advertising, marketing, or soliciting economic opportunities to underrepresented populations."
The juxtaposition here makes it appear that every person could be considered a member of an underrepresented group and therefore that nothing will prohibit data sharing for marketing purposes. This bill looks like it is written with the goal of killing consumer privacy protections in the country.
Edit: Yes, I know draft bills change before they are passed. But draft bills often are the best expression of the drafters' priorities and intent.
Also: why are Republicans proposing big new regulation that would apply to every US business, impose additional bookkeeping & accounting work for every business, and then not improve consumer privacy protection? This is a tax on every US business, and it appears there is no meaningful payoff for consumers. Sounds like a lose-lose.
Here are some other antidiscrimination clauses in Federal law that read in a similar fashion:
From EEOC on employment: "race, color, religion, sex (including pregnancy, sexual orientation, or gender identity), national origin, age (40 or older), disability and genetic information (including family medical history)." [1]
From FHA: "The Fair Housing Act prohibits this discrimination because of race, color, national origin, religion, sex, familial status, and disability." [2]
Note that this act's (a) clause does not contain "sexual orientation" as above, and (b) specifically contains the new protected category of "political ideology".
I'll give you a hint as to why they are doing this. There are already protections for race, color, religion, national origin, sex, age, and disability.
This is all about getting "political ideology" added to the list so that they can publicly discuss their horrendous beliefs and not get fired
> why are Republicans proposing big new regulation that would apply to every US business, impose additional bookkeeping & accounting work for every business, and then not improve consumer privacy protection?
The answer is obvious with their historic agenda...
> discriminate against or make an economic opportunity unavailable on the basis of race, color, religion, national origin, sex, age, political ideology, or disability of a persons or class of persons.
They want, ironically, the anti-discrimination clauses. They want to prevent someone from discriminating in tech. That would (they hope) block the perceived anti-right bias, and maybe even prevent companies from blocking people like trump all together.
Only the large companies will be able to comply keeping a barrier to entry for any competition. Everyone loses but the wealthy oligopolists so it's perfectly aligned.
> Also: why are Republicans proposing big new regulation that would apply to every US business, impose additional bookkeeping & accounting work for every business, and then not improve consumer privacy protection?
Two potential reasons.
One: They believe federal privacy regulations are inevitable, and want to take the opportunity to shape it as much as they can. Two years ago there were competing Republican & Democrat proposals for privacy legislation; the meats were pretty similar to each other, and GDPR, and CCPA. The differences were some subtle details around the edges that are likely to end up being HUGELY impactful.
For example, the democrat proposal included a Right of Private Action while the republican proposal did not. You can blah blah blah all goddamn day about what counts as private and what doesn't. But at the end of the day, the thing that matters most is "what happens when a company breaks the law?" Being able to sue them yourself is a very large difference from requiring all enforcement run through the Attorney General or an executive branch whose funding can be rescinded.
Two, but related to the first: There are currently multiple states that have local privacy regulations. The number is likely to increase. Companies would prefer to deal with one set of laws rather than fifty even if the one set of laws is more difficult that any of the fifty laws it replaces.
On a related note, the other serious difference between democrat and republican proposals was called "pre-emption." The republic proposal would have removed the ability for states to pass stricter privacy laws at home.
This is not a strategy to introduce a national privacy standard.
This is a strategy to introduce a national standard of no privacy.
"Principle #1: The internet does not stop at state lines, so why should one state set the standard for the rest of the country?"
then later
"Principle #4: We must also protect small businesses and innovation. We know that in Europe, investments in startups are down more than 40% since their data protection and privacy law—the General Data Protection Regulation—went into effect. We must guard against a similar situation here. We want small businesses hiring coders and engineers, not lawyers."
> "Principle #4: We must also protect small businesses and innovation. We know that in Europe, investments in startups are down more than 40% since their data protection and privacy law—the General Data Protection Regulation—went into effect. We must guard against a similar situation here. We want small businesses hiring coders and engineers, not lawyers."
I can't find it, but I remember just seeing a headline on HN that European startup investments were at an all-time high. First relevant search hits were [1], [2], I did not fact-check those.
You are probably right. One of the "go-to moves" of the Republicans is to find some bad thing that happened in Europe and claim we "don't want that!" even if takes quoting a small three week window in August when "investments were down 40%" because everyone was on vacation.
As suspicious as I am of their intentions, I also would like a world where small businesses do not need to hire lawyers. As in, I think privacy regulations and other regulations are best if the amount of work requires is proportional to your market capitalization. Of course, with lobbying things end up going in the exact opposite direction usually.
I would like a world where no one needed to hire lawyers. The law should be understandable to the average citizen sufficiently that they can ensure they are adhering to it.
You don't need to hire a lawyer to understand GDPR. That is just something they tacked on the end there to add a boogeyman to their argument that everyone hates.
> Privacy does not end at state lines and Americans deserve better than a patchwork of different and conflicting state laws.
Couldn't you replace "privacy" here with guns or healthcare or nearly any other national issue.
edit:
>SEC. 111. ANTI-DISCRIMINATION.
(a) PROHIBITED CONDUCT.— A covered entity may not, through the collection
use or sharing of personal information, discriminate against or make an economic
opportunity unavailable on the basis of race, color, religion, national origin, sex,
age, political ideology, or disability of a persons or class of persons.
Notice they added something to the normal "protected classes" in the US.
Few people sell guns or healthcare across the nation. Those are typically local businesses which only have to worry about local laws. An Internet business typically covers the whole country at least and this could easily be subject to a ton of different standards if Congress doesn't standardize it.
I think that's fair if you only look at this from a business perspective, but clearly those things have great effects across state lines even if the business is usually intrastate. (Although a good amount of gun purchases are done on the internet and the only local businesses is the FLL doing the receiving)
I think you have causality wrong here. There aren’t national businesses for guns or healthcare because regulatory burdens make that hard to impossible.
Why. The existing ones were un-changable aspects about you that you can't control, and are born into. You can change the addition with the wind, and its a thing you grow into and learn and mold.
How do you even define something as political? Eg. Saying X group of people should stop being killed by police is, to some, a validation of humanity, but to others a political issue to be argued at the ballot box?
What about marriage, which is based in laws, but some say should be a religious issue? Is that protected?
What about hate speech? Thats very much bad, until someone claims they're just politically conservative, so now its protected?
Political positions can be literally any point of view.
Will I be allowed to have a gun free workplace, for example, when I am required to hire people who believe in sovereign citizen movements? Will we be forced to permit people to carry guns in workplaces because of their political positions and values?
LGBT rights can also be defined as a political position. Same with being pro-Union. Will we be protecting doctors who believe in holistic medicine at major hospitals, and nurses who discourage all vaccinations?
The limit of what is an opinion vs a political opinion does not exist. Therefore this protects everyone and nobody at the same time.
Some interesting points I gleamed from skimming the draft:
1. The way “small-to-medium” and “large” businesses or “entities” are defined. The bill separates entities into 2 classes based on any of 3 factors: annual revenue, number of users, and percentage of revenue from the sale of consumer information. So even if you’re a one-person startup with 20 users, if you make the larger part of your revenue from consumer data, you are considered a large entity. The extra compliance requirements for large entities seem quite onerous.
2. Two levels of personal information. This might be pre-existing in U.S. code (I don’t know) but the bill defines a separate category of “sensitive information,” that is quite broad, including data on your health, geolocation, biometric markers, finances, children, private communications, and government IDs. All other data that is not encrypted or de-identified is “personal information.”
3. Most of the rights and procedures defined in the bill apply only to personal information, and there are many exceptions, such as “performing a task carried out in the public interest.” So you have no right to privacy if the entity believes sharing your data will be in the public interest?
4. No rights or restrictions apply to the collection and usage of “sensitive information” except that “express prior consent” and “separate consent” are given before collection, use, and sharing of it. I would have expected there to be more rules and restrictions around the sensitive data, not less.
It seems to me that very little of what today’s companies collect would be considered “personal information” according to this bill. Most of it would either be disqualified by encryption or de-identification, or fall under sensitive information.
The content of the standard matters immensely, as this almost certainly will preempt state standards.
If they make a weak law, this is essentially reversing CCPA and its copycats. This would have the effect of stripping privacy protection.
If they make a strong law, this is essentially extending CCPA etc to the whole country and making it standardized. This would be a huge win for consumer privacy.
I haven't read the draft bill, but the "Principle 4" makes me think they plan on making some huge exceptions in the protections.
> We must also protect small businesses and innovation. We know that in Europe, investments in startups are down more than 40% since their data protection and privacy law—the General Data Protection Regulation—went into effect. We must guard against a similar situation here. We want small businesses hiring coders and engineers, not lawyers.
I was about to say something along the lines of, since it was introduced by Republicans you know that this will get ignored. However, after reviewing what they are actually proposing, I hypothesize that this isn't actually designed to increase privacy.
I believe this is more about them making it easier to collect data and giving businesses more means to do so at your expense. If they wanted to increase privacy they'd mirror at least somewhat the CCPA, which already addresses many of these issues. The CCPA is not perfect and there are far too many exceptions IMO, but at least it was effective and California residents can easily request that their accounts and information be deleted.
If anything they should be looking at the CCPA and GDPR as a starting point for how to address privacy, not ignore and gaslight you into thinking they are somehow bad. I hope that a tech blog and EFF do a write up on this and create an entire campaign against what the Republicans are proposing here so that people don't get duped by this con.
I think the idea is that if Congress doesn't act, the states are going to still set their own privacy standards. If there are fifty different standards in fifty different states, only large companies will have the manpower to sort out what they all require. These congressmen want to put everyone on the same standard so small companies can have websites and only have to worry about one standard of privacy.
Readit News
(a) PROHIBITED CONDUCT.— A covered entity may not, through the collection use or sharing of personal information, discriminate against or make an economic opportunity unavailable on the basis of race, color, religion, national origin, sex, age, political ideology, or disability of a persons or class of persons.
(b) EXCEPTIONS.—Nothing in this section shall prohibit a covered entity from using or sharing personal information for the purpose of advertising, marketing, or soliciting economic opportunities to underrepresented populations."
The juxtaposition here makes it appear that every person could be considered a member of an underrepresented group and therefore that nothing will prohibit data sharing for marketing purposes. This bill looks like it is written with the goal of killing consumer privacy protections in the country.
Edit: Yes, I know draft bills change before they are passed. But draft bills often are the best expression of the drafters' priorities and intent.
Also: why are Republicans proposing big new regulation that would apply to every US business, impose additional bookkeeping & accounting work for every business, and then not improve consumer privacy protection? This is a tax on every US business, and it appears there is no meaningful payoff for consumers. Sounds like a lose-lose.
From EEOC on employment: "race, color, religion, sex (including pregnancy, sexual orientation, or gender identity), national origin, age (40 or older), disability and genetic information (including family medical history)." [1]
From FHA: "The Fair Housing Act prohibits this discrimination because of race, color, national origin, religion, sex, familial status, and disability." [2]
Note that this act's (a) clause does not contain "sexual orientation" as above, and (b) specifically contains the new protected category of "political ideology".
[1] https://www.eeoc.gov/employers/small-business/3-who-protecte...
[2] https://www.hud.gov/program_offices/fair_housing_equal_opp/f...
This is all about getting "political ideology" added to the list so that they can publicly discuss their horrendous beliefs and not get fired
https://www.shouselaw.com/ca/labor/harassment/political-reta...
The answer is obvious with their historic agenda...
> discriminate against or make an economic opportunity unavailable on the basis of race, color, religion, national origin, sex, age, political ideology, or disability of a persons or class of persons.
They want, ironically, the anti-discrimination clauses. They want to prevent someone from discriminating in tech. That would (they hope) block the perceived anti-right bias, and maybe even prevent companies from blocking people like trump all together.
This bill is really about banning content moderation. Everything else is window dressing.
Two potential reasons.
One: They believe federal privacy regulations are inevitable, and want to take the opportunity to shape it as much as they can. Two years ago there were competing Republican & Democrat proposals for privacy legislation; the meats were pretty similar to each other, and GDPR, and CCPA. The differences were some subtle details around the edges that are likely to end up being HUGELY impactful.
For example, the democrat proposal included a Right of Private Action while the republican proposal did not. You can blah blah blah all goddamn day about what counts as private and what doesn't. But at the end of the day, the thing that matters most is "what happens when a company breaks the law?" Being able to sue them yourself is a very large difference from requiring all enforcement run through the Attorney General or an executive branch whose funding can be rescinded.
Two, but related to the first: There are currently multiple states that have local privacy regulations. The number is likely to increase. Companies would prefer to deal with one set of laws rather than fifty even if the one set of laws is more difficult that any of the fifty laws it replaces.
On a related note, the other serious difference between democrat and republican proposals was called "pre-emption." The republic proposal would have removed the ability for states to pass stricter privacy laws at home.
Dead Comment
This is a strategy to introduce a national standard of no privacy.
"Principle #1: The internet does not stop at state lines, so why should one state set the standard for the rest of the country?"
then later
"Principle #4: We must also protect small businesses and innovation. We know that in Europe, investments in startups are down more than 40% since their data protection and privacy law—the General Data Protection Regulation—went into effect. We must guard against a similar situation here. We want small businesses hiring coders and engineers, not lawyers."
I can't find it, but I remember just seeing a headline on HN that European startup investments were at an all-time high. First relevant search hits were [1], [2], I did not fact-check those.
[1] https://news.crunchbase.com/news/european-vc-funding-h1-2021... [2] https://www.cnbc.com/2021/06/18/european-start-up-investment...
https://2utfff4d3dkt3biit53nsvep-wpengine.netdna-ssl.com/wp-...
Deleted Comment
Deleted Comment
This is not that world.
Couldn't you replace "privacy" here with guns or healthcare or nearly any other national issue.
edit:
>SEC. 111. ANTI-DISCRIMINATION. (a) PROHIBITED CONDUCT.— A covered entity may not, through the collection use or sharing of personal information, discriminate against or make an economic opportunity unavailable on the basis of race, color, religion, national origin, sex, age, political ideology, or disability of a persons or class of persons.
Notice they added something to the normal "protected classes" in the US.
"Oh no, we want states level laws for that."
Deleted Comment
How do you even define something as political? Eg. Saying X group of people should stop being killed by police is, to some, a validation of humanity, but to others a political issue to be argued at the ballot box?
What about marriage, which is based in laws, but some say should be a religious issue? Is that protected?
What about hate speech? Thats very much bad, until someone claims they're just politically conservative, so now its protected?
Will I be allowed to have a gun free workplace, for example, when I am required to hire people who believe in sovereign citizen movements? Will we be forced to permit people to carry guns in workplaces because of their political positions and values?
LGBT rights can also be defined as a political position. Same with being pro-Union. Will we be protecting doctors who believe in holistic medicine at major hospitals, and nurses who discourage all vaccinations?
The limit of what is an opinion vs a political opinion does not exist. Therefore this protects everyone and nobody at the same time.
Dead Comment
1. The way “small-to-medium” and “large” businesses or “entities” are defined. The bill separates entities into 2 classes based on any of 3 factors: annual revenue, number of users, and percentage of revenue from the sale of consumer information. So even if you’re a one-person startup with 20 users, if you make the larger part of your revenue from consumer data, you are considered a large entity. The extra compliance requirements for large entities seem quite onerous.
2. Two levels of personal information. This might be pre-existing in U.S. code (I don’t know) but the bill defines a separate category of “sensitive information,” that is quite broad, including data on your health, geolocation, biometric markers, finances, children, private communications, and government IDs. All other data that is not encrypted or de-identified is “personal information.”
3. Most of the rights and procedures defined in the bill apply only to personal information, and there are many exceptions, such as “performing a task carried out in the public interest.” So you have no right to privacy if the entity believes sharing your data will be in the public interest?
4. No rights or restrictions apply to the collection and usage of “sensitive information” except that “express prior consent” and “separate consent” are given before collection, use, and sharing of it. I would have expected there to be more rules and restrictions around the sensitive data, not less.
It seems to me that very little of what today’s companies collect would be considered “personal information” according to this bill. Most of it would either be disqualified by encryption or de-identification, or fall under sensitive information.
If they make a weak law, this is essentially reversing CCPA and its copycats. This would have the effect of stripping privacy protection.
If they make a strong law, this is essentially extending CCPA etc to the whole country and making it standardized. This would be a huge win for consumer privacy.
I haven't read the draft bill, but the "Principle 4" makes me think they plan on making some huge exceptions in the protections.
I was about to say something along the lines of, since it was introduced by Republicans you know that this will get ignored. However, after reviewing what they are actually proposing, I hypothesize that this isn't actually designed to increase privacy.
I believe this is more about them making it easier to collect data and giving businesses more means to do so at your expense. If they wanted to increase privacy they'd mirror at least somewhat the CCPA, which already addresses many of these issues. The CCPA is not perfect and there are far too many exceptions IMO, but at least it was effective and California residents can easily request that their accounts and information be deleted.
If anything they should be looking at the CCPA and GDPR as a starting point for how to address privacy, not ignore and gaslight you into thinking they are somehow bad. I hope that a tech blog and EFF do a write up on this and create an entire campaign against what the Republicans are proposing here so that people don't get duped by this con.
Is that a typo? Did they mean supports individuals?
Hey, it doesn't stop at national borders either.