Last week, we dove into the “Balancing the Rights Of Web Surfers Equally and Responsibly Act of 2019” (BROWSER Act) (S. 1116). This week, we’ll look at another bipartisan Senate bill but one sponsored by a contestant for the Democratic nomination: Senator Amy Klobuchar (D-MN). She introduced the “Social Media Privacy Protection and Consumer Rights Act of 2019” (S. 189) with Senator John Kennedy (R-LA) in January 2019. Broadly speaking, under this bill the major tech companies would need to give consumers an opportunity to opt in or opt out of the company’s data usage practices after offering enhanced notice of the practices for which the personal data may used.
The bill would cover only “online platforms” which are defined as “any public-facing website, web application, or digital application (including a mobile application); and includes a social network, an ad network, a mobile operating system, a search engine, an email service, or an internet access service.” However, the bill would encompass a subset of “online platforms” (i.e. those that “collect personal data during the online behavior of a user of the online platform.” Consequently, it appears that a company like Amazon with a huge online presence would not be considered an online platform. The same would seem to be true of any other retailer with an online presence that falls short of being one of the specified types of online platform.
Moreover, it is not clear under the bill that all of the practices of online platforms that impinge privacy would be covered by the bill. The use of the phrase “during the online behavior of a user of the online platform” raises the possibility that some online platforms may claim that some instances of data collection of online behavior may not be covered by the bill, or it may be suggested that certain behaviors are off-line. For example, in a May article, the Washington Post’s technology columnist found that at 3:00 am his iPhone is “beaming out lots of information about me to companies I’ve never heard of” “[e]ven though the screen is off and I’m snoring.” I suppose one could make the case that even though he was not online, the apps he downloaded were. However, it is more logical to say he was not online, so should the Klobuchar-Kennedy bill be enacted as written, this would seem to be data collection outside the bounds of the privacy regime. Also, how would cookies be treated? Conceivably once a consumer has logged off of Facebook, should the platform’s cookies continue to pipe information back to the company? Or is this the sort of behavior one could consent to?
S. 189 defines personal data more narrowly than some of the other bills. For example, most telephone metadata would fall outside the bounds of what is considered personal data except for geolocation data, so a consumer’s privacy choice would be functionally meaningless for this type of data. In the same vein, location information other than that could be used to identify a street and a city would be fair game, so it appears online platforms could use and share less precise location information like just a town or a city.
Nonetheless, what is “personal data” is “individually identifiable information about an individual collected online, including—
(A) location information sufficient to identify the name of a street and a city or town, including a physical address;
(B) an email address;
(C) a telephone number;
(D) a government identifier, such as a Social Security number;
(E) geolocation information;
(F) the content of a message;
(G) protected health information, as defined in section 160.103 of title 45, Code of Federal Regulations, or any successor regulation; and
(H) nonpublic personal information, as defined in section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) (i.e. personally identifiable financial information…provided by a consumer to a financial institution…resulting from any transaction with the consumer or any service performed for the consumer…or…otherwise obtained by the financial institution.”
When a person creates an account with an online platform, he must be given the option to choose between having his personal data collected and used by the online platform and third parties or declining to agree to such terms. However, nothings appears to be off limits in terms of collection and use of personal data once a consumer has consented to the terms the online platform offers. Once a consumer has agreed to the terms put forth by the online platform, then the platform is free to do what they will with user personal data so long as they are transparent about the uses and abide by their published privacy or security program.
The biggest possible loophole I see is if a user opts against an online platform from collecting and using her personal data, the platform “may deny certain services or completely deny access to the user” if the choice “creates inoperability in the online platform.” How is inoperability to be defined? Could Facebook say that since so much of its business model is built on collecting and using personal data that when a user opts out, the platform then becomes inoperable? Since the FTC is not given authority to promulgate regulations under the Administrative Procedures Act, what constitutes bona fide “inoperability” will be determined on a case-by-case basis if the agency finds this term is being used in ways contrary to the intent of the law.
Nonetheless, a user may withdraw his consent at any time or in the event of a privacy violation. However, doing so would seem to implicate the same concern as an initial refusal to consent: the online platform may find such refusal creates inoperability problems, allowing them to deny services.
Of course an online platform must obtain consent or allow a consumer to opt-out when they create an account, but what of existing accounts with, say Facebook or Google. The bill would take effect six months after enactment, and it provides that “[a]n individual who becomes a user of a covered online platform before the effective date under subsection (a) shall be treated as if he or she had become a user of the online platform on that effective date.” This would suggest that existing users would not be offered a choice as to whether they op-in or opt-out. However, such a user may withdraw consent after the effective date if they find the terms ion the newly revised notice to be objectionable.
There is language regarding the standards online platforms must meet in terms of the notice they provide consumers regarding the type of personal data collected and its uses. It must be “…easily accessible…of reasonable length…clearly distinguishable from other matters; and…uses language that is clear, concise, and well organized, and follows other best practices appropriate to the subject and intended audience.”
The bill requires online platforms to allow users to request and receive “a copy of the personal data of the user that the operator has processed, free of charge and in an electronic and easily accessible format, including a list of each person that received the personal data from the operator for business purposes, whether through sale or other means.” However, there is no language on the timeframe by which the online platform should meet this request.
S. 189 would require covered online platforms to “establish and maintain a privacy or security program for the online platform” and to “publish a description of the privacy or security program.” However, a plain reading of this requirement suggests that an online platform subject to S. 189 need only establish and maintain a “privacy or security program,” meaning only one or the other. The rationale for giving online platforms a choice is not immediately clear. In any event, the online platform needs to also “publish a description of the privacy or security program that—
details how the operator will use the personal data of a user of the online platform, including requirements for how the operator will address privacy risks associated with the development of new products and services; and includes details of the access that employees and contractors of the operator have to the personal data of a user of the online platform, and internal policies for the use of that personal data.”
There appears to be an ill-defined incentive for online platforms to develop better technology to secure the privacy of consumers. If an online platform develops “privacy-enhancing technology,” then it would not need to offer consumers a choice on data collection and usage, a copy of her data as processed and used, nor alert her in the event of a “privacy violation.” However, the bill does not indicate what might qualify as “privacy-enhancing technology” except that this provision suggests that it applies to the “development” of this sort of technology. Presumably that would apply to yet-to-be developed technologies and seems to serve as an incentive for online platforms to put the time and resources into doing so. However, would encryption qualify as “privacy-enhancing technology”? This provision is vague so it is not clear.
Like virtually all the other privacy bills, the Federal Trade Commission (FTC) would treat all privacy violations as “a violation of a rule defining an unfair or deceptive act or practice,” allowing the agency to seek civil fines of about $42,000 per violation in court as part of its immediate enforcement action. Common carriers and non-profits would be swept into the jurisdiction of the FTC for purposes of enforcing this act; however, only those “covered online platforms” that are also common carriers or non-profits would be subject to the bill. State attorneys general could enforce the regime in federal court so long as the FTC is not already doing so or does not seek to intervene. Also, the bill would not preempt state criminal and civil laws, so state attorneys general could simultaneously bring actions under state law at the same time the FTC is bringing an action in federal court.