Okay, so I lied. I’m back with a privacy bill sooner than a week. In January, Senator Marco Rubio (R-FL) released a bill, the “American Data Dissemination (ADD) Act” (S. 142) that offers a different approach on privacy and technology by using the “Privacy Act of 1974” as a template for regulating those entities providing services on the internet. However, this approach, and other details in the bill, make it a likely non-starter for many House and Senate Democrats, particularly since it would preempt in significant part (if not entirely) the “California Consumer Privacy Act” (AB 375) and other privacy-oriented state statutes. Nonetheless, Rubio is a new entrant to the field of privacy and data security policy and may influence whatever legislation Congress produces.
Like most other data security and privacy bills, the Federal Trade Commission (FTC) would be the agency to enforce the new requirements and would be given jurisdiction over “covered provider[s]” a term defined as “a person that provides a service that uses the internet; and in providing the service…collects records.” This definition would encompass most entities doing business over the internet but would seem to exclude data brokers and other entities that buy, sell, collect, or share the personally identifiable information of people. Consumers would be given the right to access the “records” “covered providers” hold on them and then request changes to erroneous information. If the ultimate regulations align with the “Privacy Act of 1974” (5 USC 552a), then there may be significant exemptions that would function to limit consumer access to and control over the information held, used, and shared by businesses.
Rubio’s bill takes the unusual step of requiring that the FTC essentially clear its regulations with the House Energy and Commerce Committee and the Senate Commerce, Science, and Transportation Committee. The FTC would be required to submit to Congress “detailed recommendations for privacy requirements that Congress could impose on covered providers that would be substantially similar, to the extent practicable, to the requirements applicable to agencies under the Privacy Act of 1974.” 12-15 months after the FTC submits this report, it would be required to submit to Congress proposed regulations that would similarly make covered entities subject to requirements along the lines of how the Privacy Act of 1974 applies to federal agencies. The FTC is directed by the legislation to address a number of topics in these regulations, including
- criteria by which the FTC could exempt certain small covered providers that would otherwise be subject to this bill based on the time an entity has been covered by the ADD Act, its revenues, and the number of people for whom they have records
- establishing a process by which people could request access to a record and possibly have that record deleted if the covered provider elects to do so
- requiring that consumers show that a record is “not accurate, relevant, timely, or complete” (terms to be defined by the FTC) before a covered entity is required to amend a record
- establishing a dispute resolution process like the one for disputes between consumers and credit reporting agencies under the Fair Credit Reporting Act (FCRA) regarding one’s credit file
- the establishment of “a code of ‘‘fair information practices’’, for the secure collection, maintenance, and dissemination of records, with which a covered provider must comply.”
These regulations would also be published, presumably for comment from interested parties. However, the bill is silent on whether the FTC would have to use the more extensive Moss-Magnuson rulemaking procedures or the Administrative Procedures Act process, which most agencies utilize. Yet, the drafters of the bill may intend for the FTC to use the process outlined in the bill, meaning a new means by which the FTC would promulgate regulations. In any event, if a statute based on the initial recommendations is not enacted within two years of passage of the ADD Act, then the FTC would be required to promulgate final regulations.
The Privacy Act of 1974 has been criticized by privacy and civil liberties advocates as being inadequate for protecting the privacy of Americans given how exceptions have been utilized by agencies and the arguably out-of-date definitions and concepts in the 45-year-old legislation. Additionally, unlike many Democratic bills, state attorneys general would have no role in enforcing the new regulations or laws. With respect to enforcement, the FTC could request that a federal court levy civil fines as high as $40,000 per violation. The bill would exempt HIPAA-covered entities and those regulated under the “Family Educational Rights and Privacy Act of 1974.” The FTC is given authority to determine whether the follow-on statute or regulations put in place under the ADD Act supersede Gramm-Leach-Bliley and the Children’s Online Privacy Protection Act (COPPA) in the case of conflicts.