The ACLU and others would prefer what is being touted as a “universal opt-out” in which consumers could one-stop shop and end all tracking by using a national registry of sorts. The Federal Trade Commission suggested such legislation in December.
“Consumers need strong baseline safeguards to protect them from the sophisticated data profiling and targeting practices that are now rampant online and with mobile devices. We cannot support the bill at this time,” Consumer Watchdog, Center for Digital Democracy, Consumer Action Privacy Rights Clearinghouse and Privacy Times wrote McCain and Kerry on Tuesday.
While I have concerns about the proposed legislation, I don't know that I agree with the sentiments expressed by quoted advocacy organizations. True, the bill could do more for privacy. However, the U.S. has generally been slow to enact laws protecting privacy, so letting the perfect be the enemy of the good in this case doesn't seem to make sense. Also, the bill (at least as proposed) does do more than prevent tracking. For example, for example, section 101 requires the FTC to make rules requiring covered entities to establish security measures to protect the data they do collect and section 202(A)(4) requires the FTC to make rules enabling individuals to correct information stored about them. There are also provisions requiring covered entities to design their products with privacy in mind (section 103) and to minimize the data they collect (section 301). These are all potentially helpful provisions, and the fact that they weren't mentioned indicates to me that the bill might not be getting all the credit it deserves.
With that having been said, I do have two problems with the bill that (if anyone were interested in my opinion) would stop me from supporting it. First, as mentioned in the Wired article, it preempts potentially more stringent state laws (section 405). This is a significant problem, as states are generally well ahead of the federal government on privacy issues. Second, it specifically states that it does not create any kind of private right of action (section 406). This is also a significant issue, since giving people the right to sue would likely result in much more vigorous enforcement of the law than simply relying on the FTC.
The bottom line for me is that, while the legislation includes a number of privacy protective features, its incompatibility with stronger state laws, as well as its lack of a private right of action mean that, if passed, it probably wouldn't help (and might even hurt) consumer privacy rights.