Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



Marco Rubio Proposes New Federal Data Privacy Bill

U.S. Senator Marco Rubio (R-Fla.) introduced a bill on Wednesday designed to provide privacy legislation for the entire nation — that is, federal law. It is based on the Privacy Act of 1974, which was introduced post-Watergate to protect people from government storage and retrieval of personal data.

U.S. Senator Marco Rubio (R-Fla.) introduced a bill on Wednesday designed to provide privacy legislation for the entire nation — that is, federal law. It is based on the Privacy Act of 1974, which was introduced post-Watergate to protect people from government storage and retrieval of personal data. Rubio’s American Data Dissemination Act (ADD) is designed to do similar, but is aimed at private industry’s collection of personal data.

The key point in the bill is that responsibility is handed to the FTC — who must, within 180 days — submit detailed recommendations for privacy requirements that Congress can then impose. These recommendations must be substantially similar to the requirements of the 1974 Privacy Act. In a contribution to The Hill, Rubio explained, “We should use the non-partisan expertise from the agency of jurisdiction to ensure lawmakers make informed decisions to properly protect consumers.”

If Congress fails to enact the FTC’s recommendations within a further two years, the Act gives the FTC authority to issue a final rulemaking. So, within two-and-half years of this bill becoming law, there will be a federal privacy law for the people of America. Whether it is a strong law or a weak law will depend upon the FTC. The FTC’s mandate is to prohibit “unfair or deceptive acts or practices in commerce”; but it interprets this as protection for both citizens and businesses.

There are two primary guidelines provided by Rubio. The first is to exempt start-ups. The idea is to promote competition. “Facebook, Apple, Amazon, Netflix, Google (FAANG) and others would welcome cumbersome regulations that prevent start-ups and smaller competitors from challenging the FAANG’s current dominance,” writes Rubio. Perhaps Microsoft should be added to FAANG.

The second is to give users the right to access and correct personal records that are not accurate, relevant, timely or complete as defined by the FTC, and a process for deletion of a record. It is not immediately apparent whether deletion can be applied to any record, or only those that are not accurate — such details will come out in the FTC recommendations which will ultimately take precedence over the will of Congress.

Rubio’s proposal is generally welcomed — but with several riders. The first is that as a federal law, it will, through the Constitution’s Supremacy Clause, take precedence over state laws. Consider the strong California Consumer Protection Act (CCPA) that will come into effect next year.

“Both bills seek to establish similar protections for consumers,” explains Attila Tomaschek, digital privacy expert at, “but Californiaís bill is markedly more strict on businesses than Senator Rubio’s proposal in that it gives ‘personal data’ an extremely broad definition, severely limiting what data can be collected and used freely by businesses with customers in California.”

Companies like Facebook have customers both within and outside of California. These companies would be bound by the federal law and not the California law.  

“Senator Rubio’s proposed national privacy regulation is a step in the right direction,” comments Anupam Sahai, VP of product management at Cavirin. “However, any law needs to provide real protection, along the lines of the EU GDPR or Californiaís Consumer Privacy Act. One issue with the proposal is that it preempts state laws which may offer more comprehensive privacy guarantees. This is a step in the wrong direction.”

The relevance of the 1974 act in 2018 is also questioned. “While we should celebrate our federal government’s attention to this global challenge,” Shahrokh Shahidzadeh, CEO at Acceptto told SecurityWeek, “it is worth stressing that the Privacy Act of 1974 guardrails are not sufficient and may not be the right framework for two core reasons: firstly, the validity of exemptions in 2020 compared to 1974; and secondly, the reality that the boundary-perimeter of our world has changed significantly in the last four decades.”

Shahidzadeh, like Sahai, believes a better framework would be Europe’s GDPR  — and this raises a further point. American companies trading with Europe will have to comply with the Privacy Shield operating between the EU and the U.S. This in turn means that these companies will have to offer privacy comparable to GDPR.

However, during the six months in which the FTC develops its recommendations, it will be subject to extensive lobbying from FAANG. If the FTC proposals come out weaker than GDPR, then Privacy Shield (already criticized by many Europeans) will be rocked and perhaps even scrapped by Europe. The problem here is that the FTC’s recommendations will inevitably be weaker than GDPR through the requirement to exempt small, new businesses.

Rubio fears that excessive regulation will inhibit new business — and there is indeed great debate over this. In a paper published in November 2018, Jian Jia and Liad Wagman of the Illinois Institute of Technology and Ginger Zhe Jin of the University of Maryland show that European tech firms are receiving less venture funding than their U.S. counterparts; and this primarily applies to early-stage investments. Such companies “are particularly susceptible to a negative effect from GDPR,î wrote the researchers.

However, this conclusion is questionable; there are other issues at play in Europe. The ‘will she, won’t she and under what conditions’ Brexit affair has caused considerable EU-wide economic uncertainty; and investors hate uncertainty. Furthermore, the European Venture Report produced by PitchBook and published in October 2018, notes that while overall European investment has dropped, the share of capital received by software firms is higher than ever. The question whether strong legislation inhibits new business is moot.

Concerns over Rubio’s proposal, including trade with Europe and precedence over state laws, aside, it is generally accepted that the U.S. needs a single federal law for all Americans — just as GDPR is in effect a single federal law for all Europeans, taking precedence over any weaker (but not stronger) national laws. “Perhaps if Senator Rubio’s bill would allow for individual States to enforce certain provisions, instead of overriding State privacy laws and affording all jurisdiction to the FTC, the bill would be more effective for both consumers and businesses alike,” comments Tomaschek.

“With large scale data breaches occurring more commonly each year, concludes Timur Kovalev, chief technology officer at Untangle, “it is great to see a focus on data privacy with the recently proposed American Data Dissemination (ADD) Act. The ADD Act aims to create concrete rules on privacy for major commercial companies to follow within the United States. Currently, individual states are responsible for establishing their own privacy laws. The ADD Act would supersede state laws, even those states with stricter rules, which could make this Act difficult to pass. With Europe passing their own privacy rules with GDPR, data privacy is becoming a necessary conversation for governments all over the world. As hackers evolve their tactics and cybersecurity concerns continue to escalate, data privacy and consumer protection need to be top of mind for governments and businesses alike.”

Related: State vs. Federal Privacy Laws: The Battle for Consumer Data Protection 

Related: Intel Asks for Comments on Draft Federal Privacy Law 

Related: California, Home of Silicon Valley, Ramps Up Online Privacy Law

Related: Battle Lines Forming Ahead of a Looming U.S. Privacy Law Fight

Related: Clear Scope for Conflict Between Privacy Laws

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...


U.S. fighter jets successfully shot down the high altitude spy balloon launched by and belonging to China.

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.