Your Phone Is Still A Tracking Device. The New Privacy Bill Does Not Change That.

The Marketing Is Loud. The Text Is Quieter.

The federal data privacy bill that cleared the relevant committees in April is being marketed as the comprehensive federal framework that consumers have been asking for since 2018. The press releases use phrases like comprehensive, durable, and consumer-centric. I helped build the systems this bill regulates. Let me explain how this actually works.

The bill, in its current form, provides three things. It provides a right of access for consumers to data that covered businesses hold about them. It provides a right of deletion, subject to a list of exceptions long enough to fit on its own page. It provides a private right of action against businesses that violate specified provisions, subject to a series of procedural gates that effectively limit class action availability. The bill also provides one thing it does not advertise. It preempts state law. The preemption is the part the bill's sponsors do not want to discuss on the floor.

The Preemption Tradeoff

The preemption tradeoff is the tradeoff that has killed every prior version of a federal privacy bill. Stronger state laws, including California's California Consumer Privacy Act and its successor amendments, give consumers more protections than the federal floor in the current bill. Preempting those laws in favor of the federal floor reduces consumer protection on net, even as the bill is being marketed as the opposite. The states that are watching this fight, principally California, Washington, Illinois, and Texas, have all signaled in committee testimony that they consider the preemption clause a deal-breaker.

The bill's sponsors argue that preemption is necessary to give covered businesses a single compliance framework instead of fifty different state regimes. The argument is honest as far as it goes. The argument is also self-interested in a way the floor speeches do not acknowledge. The covered businesses, principally the large advertising-funded platforms, prefer one federal floor that they helped write to fifty state ceilings that they cannot control.

What The Bill Does Not Do

The bill does not regulate the collection of biometric data beyond a narrow category that excludes the data your phone is collecting right now. The bill does not regulate the use of inferential profiling, which is the actual surveillance practice the consumer is concerned about even when the consumer does not have the vocabulary to describe it. The bill does not regulate location data sharing among first-party applications on a single device. The bill does not regulate the resale of mobility advertising IDs, which are the unique identifiers that allow the advertising ecosystem to recompose your behavior across applications and devices.

The bill does establish a Federal Trade Commission enforcement framework. The FTC will, under the bill, gain expanded authority to bring enforcement actions and to seek civil penalties. The enforcement framework is a real improvement over the current state of FTC privacy authority. The framework is also, in plain reading, an enforcement framework against marginal practices rather than against the structural practices that make your phone the surveillance device it is.

The Code Does Not Lie

The code does not lie. The press release does. If you want to know what your phone is actually doing right now, open the settings application and look at the location services permissions. Look at the list of applications that have requested location access. Look at the list that have requested background access. Look at the list that have requested precise location rather than approximate location. The list will be longer than you remember granting permission to. The list will include applications that you have not opened in months and that have no reasonable business purpose for the access they have.

The bill, as written, does not change that. The bill creates disclosure obligations and access rights. The bill does not constrain the underlying collection practice. The collection practice is the practice that produces the dataset that is then used in ways the consumer would not consent to if asked.

What I Would Do If I Were Drafting

I would draft a federal privacy framework that establishes a floor and explicitly preserves state laws that exceed the floor. The state laboratory of democracy is exactly the kind of forum where privacy regulation should evolve. Preempting the state work, in favor of a federal floor that lobbying has already shaped, gives up the laboratory in exchange for the floor. The tradeoff is bad.

I would draft a framework that regulates the practice rather than the disclosure. Collection limitations, retention limitations, and downstream use limitations are the actual policy instruments that protect privacy. Disclosure-and-access frameworks are the policy instruments that produce paperwork. The paperwork is not the privacy.

The Practical Step For The Reader

The practical step for the reader, regardless of what the bill does, is to audit your own device this week. Open the settings application. Look at the location services permissions. Revoke the ones that are not justified by your actual use of the application. Look at the microphone permissions. Look at the contacts and photos permissions. Look at the data and battery usage by application. The applications that are using the most data and battery in the background are usually the applications that are doing the most that you did not ask them to do.

Decentralize everything. If your phone is going to be a tracking device, at least make it a tracking device you have configured intentionally. The bill that the committee just passed will not do that work for you. Spoiler alert. Your federal government rarely does that work for anyone.