US Sen. Marco Rubio (R-Fla.) has proposed a federal privacy law that would preempt tougher privacy rules issued by states.

Rubio's announcement Wednesday said that his American Data Dissemination (ADD) Act "provides overdue transparency and accountability from the tech industry while ensuring that small businesses and startups are still able to innovate and compete in the digital marketplace."

But Rubio's bill establishes a process for creating rules instead of issuing specific rules right away, and it allows up to 27 months for Congress or the Federal Trade Commission to write the actual rules.

In addition, the bill text says it "shall supersede" any provision of a state law that pertains to the same consumer data governed by Rubio's proposed federal law. That includes names, Social Security numbers, other government ID numbers, financial transactions, medical histories, criminal histories, employment histories, user-generated content, "unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation," and other personal data collected by companies.

California last year imposed a privacy law that gives consumers more control over how their personal data is collected, used, and sold by corporations.

"We oppose any attempt to preempt California's privacy laws," Sarah Lovenheim, communications advisor to California Attorney General Xavier Becerra, wrote on Twitter yesterday.

Rubio’s bill based on 45-year-old law

Rubio's bill wouldn't do much to protect Americans' data privacy, consumer advocacy group Public Knowledge said. The Rubio bill uses the Privacy Act of 1974 as its framework; the 1974 law applies to federal agencies, but Rubio's bill would apply similar rules to the private sector.

"The 1974 Privacy Act is fundamentally a transparency and data accuracy law, designed well before the popularization of the Internet and cloud computing," and not suited to today's "constant stream of data breaches and scandals," Public Knowledge Global Policy Director Gus Rossi said.

"It's absurd that the bill would preempt state law and constrain the jurisdiction of specialized agencies like the FCC in exchange for very limited protections for consumers," Rossi also said.

DOJ says 1974 law difficult to enforce

The Privacy Act of 1974 generally prohibits disclosure of data about an individual without that individual's consent, but it contains various exceptions, and the Department of Justice says the law is difficult to interpret and enforce.

The Act "can generally be characterized as an omnibus 'code of fair information practices' that attempts to regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies," the DOJ says in an overview last updated in 2015. "However, the Act's imprecise language, limited legislative history, and somewhat outdated regulatory guidelines have rendered it a difficult statute to decipher and apply."

Despite the DOJ saying the law is confusing, Rubio argued in an op-ed for The Hill that the Privacy Act of 1974 is "widely considered one of the seminal pieces of privacy law in effect today."

"Any national privacy law must provide clear, consistent protections that both consumers and companies can understand, and the FTC can enforce. That is why my bill leans heavily on the Privacy Act framework," Rubio wrote.

Rubio's bill would have the FTC establish a process in which individuals can contact companies to request access to their personal data. Companies would have to either provide the data to consumers or delete the data. If a company lets an individual view the data, the company would have to correct any mistakes if the person demonstrates that the records are "not accurate, relevant, timely, or complete." Companies would only have to delete the data if they choose not to provide it to consumers upon consumers' requests.

Upon requests from individuals, companies would also have to tell individuals about instances in which their records have been disclosed to other parties. The FTC would be responsible for enforcing the new rules under its authority to police unfair and deceptive acts or practices.

Rubio wrote that cumbersome regulations might "entrench large, incumbent corporations."

"Facebook, Apple, Amazon, Netflix, Google (FAANG) and others would welcome cumbersome regulations that prevent start-ups and smaller competitors from challenging the FAANG's current dominance," he wrote.

Rubio's bill instructs the FTC to "establish criteria for exempting certain small, newly formed covered providers from the requirements."

Rubio justified his proposed preemption of state laws by writing that "a state-by-state patchwork of laws is simply not an effective means of dealing with an issue of this magnitude" and that "Internet data is unquestionably interstate commerce, and it is the responsibility of Congress to take appropriate action."

Bill delays final rules for up to 27 months

Rubio's bill would not impose privacy protections immediately upon passage. It would give the Federal Trade Commission six months to submit "detailed recommendations for privacy requirements" to Congress. Congress would have up to two years after the bill's passage to issue actual privacy requirements. During that time, the FTC would not be able to issue final rules on its own.

If Congress fails to act within two years, the FTC would be authorized to act on its own and would be required to issue final regulations "not later than 27 months after" the bill is enacted.

Congressional Democrats recently proposed a much stricter privacy law, which could issue steep fines to companies and send their top executives to prison for up to 20 years if they violate Americans' privacy.