The social, economic, and political forces pushing for a comprehensive overhaul of the nation’s privacy regime are numerous, and many see 2019 as presenting the best opportunity yet for passage of federal data privacy legislation.
Revelations about how social media platforms use and share consumers’ personal data have raised public concerns about relatively unregulated data markets, while a series of high-profile data breaches have highlighted the complexities and vulnerabilities facing companies that handle large-scale collection and storage of personal data. Meanwhile, lawmakers and other federal officials are taking notice, and data privacy and cyber security issues are moving up everyone’s list of priorities.
At the same time, the details of any potential federal privacy regime remain less clear. As in-house legal departments prepare for a year likely to contain sweeping changes in privacy policy, the best indicator of what lies ahead may be found in the various bills and proposals that have surfaced over the past year. These proposals, while unlikely to be adopted in their current form, offer an overview of the current debate and can help corporate counsel anticipate the changes that will arise from the eventual enactment of federal data privacy legislation.
This article surveys the current legislative proposals and, based on this review, provides in-house counsel with an outline of the most likely contours for any eventual data privacy and cyber security legislation affecting businesses.
Current Congressional Proposals
A number of proposals have circulated in the U.S. Senate over the past year. The action began in April when a pair of overlapping and competing bills were introduced. Senate Democrats Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) first introduced the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act. The Act would authorize the Federal Trade Commission (FTC) to promulgate rules consistent with the Act’s basic requirements. Adopting the framework of “edge providers,” the CONSENT Act would broadly apply to any internet or mobile service that is either purchased or offered through the creation of a customer account. The core of the CONSENT Act would be the creation of an opt-in regime requiring edge providers to obtain affirmative consent from customers before collecting their “sensitive information.” As defined in the Act, sensitive information includes geolocation data, web browsing history, and call detail information. To shore up this opt-in regime, the Act prohibits edge providers from refusing service to users who do not provide consent. Under the bill, the FTC is directed to promulgate rules requiring user notification in the event of a data breach from which “harm is reasonably likely to occur.” The CONSENT Act would be enforced by the FTC, other federal agencies which have statutory authority over specific activities, and state attorneys general.
Also in April, Senators Amy Klobuchar (D-Minn.) and John Kennedy (R-La.) introduced S.2728, entitled the Social Media Privacy Protection and Consumer Rights Act of 2018. The bill applies to “online platforms,” which are defined (more broadly, perhaps, than the bill’s title suggests) as any public facing websites or apps that collect personal data during the consumers’ use of the platform. In contrast to the CONSENT Act, however, the bill adopts an opt-out regime. Covered platforms would be required to disclose what data is collected, and the consumer has the right to opt-out of data collection and tracking. Furthermore, the bill allows providers to deny service to customers if opting-out of data collection “creates inoperability in the online platform.” Consumer notification of a data breach is required within 72 hours after the provider becomes aware that user’s personal data has been transmitted in manner inconsistent with the user’s expressed preferences or the platform’s disclosed uses. Enforcement is left to the FTC and state attorneys general.
Another flurry of activity in the Senate came at the end of the year. Of all the proposed pieces of legislation that have been recently introduced, the draft bill circulated by Ron Wyden (D-Ore.) in November has grabbed the most headlines. Given its stringent penalties, Wyden’s bill is generally viewed as the strictest of all the current proposals. Entitled the Consumer Data Protection Act, Wyden’s draft legislation applies generally to entities subject to Section 5 of the FTC Act. However, the Act excludes from its requirements entities with annual gross revenue of less than $50 million and which have collected information from less than 1 million customers and devices. Adopting an expansive opt-out framework, Sen. Wyden’s bill would require the FTC to create a centralized “Do Not Track” List, enabling consumers to opt-out of data sharing from all covered entities. Before collecting any user data, covered entities would be required to consult the Do Not Track List. Covered entities would be permitted to deny service to consumers who chose to opt-out, so long as the consumers are offered a paid version of the service instead. Furthermore, much like the GDPR and the CCPA, the bill gives consumers the right to request, review, and challenge any information collected on them. Covered entities must establish and implement cyber security and data privacy policies, practices, and procedures. Covered entities are further required to submit annual reports detailing their compliance with the bill’s various regulations. Such reports are to be certified by the entity’s Chief Privacy Officer and imposes a penalty of up to $5 million or 20 years’ imprisonment for intentionally falsified certifications. Finally, the bill would be enforced by the FTC, whose power to impose fines is increased up to 4 percent of annual gross revenue. In order to bolster this newly expanded enforcement authority, a Bureau of Technology with 125 new employees would be created within the FTC. Interestingly, the bill also directly confronts the standing issue that has plagued much privacy litigation by defining “substantial injury” as including “noneconomic impacts.”
In the broadest display of support for data privacy and cyber security legislation, Senator Brian Schatz (D-Hawaii), along with 14 other Democratic senators, introduced in December the Data Care Act of 2018. Taking a different approach than the other pieces of proposed legislation, the Data Care Act would impose fiduciary duties on “online service providers” that collect individually identifying data about users. Under a duty of care, online service providers would be required to “reasonably secure” personally identifiable information. In the event of a breach of sensitive information (including biometric, health or financial data), users must be “promptly” notified. A duty of loyalty prohibits providers from using end user’s PII in any manner that would benefit the provider to the detriment of the user. However, the Act limits such detriment or injury to “material physical or financial harm.” Finally, a duty of confidentiality prohibits providers from disclosing or sharing users PII with third parties, except as may be consistent with the duties of care and loyalty. Once again, enforcement will rest primarily with the FTC, which is also granted the authority to promulgate rules and regulations to operationalize the broad and general requirements of the Act. The Act also authorizes enforcement by state attorneys general and state consumer protection officers.
While the Senate has been more active, the House of Representatives also has seen some recent legislative proposals. Congressman Hank Johnson (D-Ga.) has introduced two bills, one that focuses on data privacy on mobile devices and another that provides users with rights to opt-out of data collection by “data brokers.” Under the mobile app proposal, app developers would be required to obtain consumer consent before collected data. Conversely, pursuant to his proposed data broker legislation, data brokers are to provide consumers with a means of opting-out of the use, sharing, or selling of their personal information. Consumers are also afforded the right to review and correct the personal information that the data broker collects, assembles, or maintains.
Finally, Congresswoman Suzan DelBene (D-Wash.), a former executive at Microsoft, has co-sponsored a bill with Congressman Hakeem Jeffries (D-N.Y.), entitled the Information Transparency and Personal Data Control Act. The Act would apply to any “operator” of a website or other online service that collects or maintains personal information of users for commercial purposes. The draft bill does contain a carve-out for operators with 500 or fewer employees. The heart of the bill is the establishment of an opt-in regime for data collection. Operators would be required to provide a conspicuous privacy and data use policy that specifically requests the user’s express affirmative consent before the collection, storage, processing, sale, or sharing of any sensitive personal information. The bill mandates specific discloures, including the identity of the entity collecting the information, what information is collected, the purpose for such collection or use, the identity of any third parties receiving the information, and how long the information is stored. Evidencing a concern with overly complicated terms of use and privacy policies, the bill further requires that such disclosures be “concise and intelligible” and written in “clear and plain language.” Users must also be provided with clear instruction as to how they can view the sensitive personal information they have provided to the operator. After obtaining opt-in consent, the operators must provide users with the ability to opt-out at any time. Finally, covered operators must conduct annual privacy audits detailing the adequacy and effectiveness of their privacy and cyber security measures. Once again, the FTC and the state attorneys general would enforce the provisions of the bill.