Last week, we delved into the “Social Media Privacy Protection and Consumer Rights Act of 2019” (S. 189), but this week we will look at a bill that probably exceeds bounds of the politically possible: Senator Ed Markey’s (D-MA) “Privacy Bill of Rights Act” (S. 1214), the only bill to get an A in the Electronic Privacy Information Center’s report on privacy bills. The definition of “personal information” is easily the most expansive of any of the bills we’ve looked at and would impose more and various new duties on covered entities than any of the bills we’ve analyzed.
This bill goes beyond an enhanced notice and consent regime and would declare some current data practices as illegal subject to Federal Trade Commission (FTC) enforcement. To wit, the bill provides “[i]t shall be unlawful for any covered entity to commit an act prohibited under this Act or a regulation promulgated under this Act, regardless of any specific agreement between entities or individuals.” There is also an interesting provision regarding unexpected data collection and usage that may have been crafted to foil those looking to exploit loopholes.
The bill defines “covered entities” so broadly that virtually any person or entity collecting the data of people in the U.S. would be included. To wit, the bill defines a “covered entity” as “any person that collects or otherwise obtains personal information.” Note that this definition is not limited to online entities; rather, anyone collecting and sharing information would be subject, making this bill among the most sweeping of those we have analyzed.
With respect to responsibilities under the “Privacy Bill of Rights,” covered entities must protect the privacy of personal information in their care and also ensure that this information is safe from unauthorized access. These entities must also obtain the affirmative, express, knowing consent of consumers before they can collect, use, retain, share, or sell this information through the provision of notice.
In terms of who would be covered by the protections in the bill, it would be virtually everyone in the U.S. and possibly people overseas as well. The bill is not clear on this, presumably in order to provide the broadest amount of data rights to the widest group of individuals possible. However, minors are defined as those being 16 years of age and under. The bill provides that “[t]o the extent that a provision of this Act or a regulation promulgated under this Act is inconsistent with a provision of any other Federal law relating to the protection and control of the personal information of minors, the provision that provides the most protection and control to minors and their parents or guardians shall apply.”
The “Privacy Bill of Rights” contains one of the broadest, most sweeping definitions of the type of data that shall be protected. The bill provides “personal information…means information that directly or indirectly identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, a particular individual.” Moreover, thereafter follows a lengthy and exhaustive list of examples of data that qualifies as “personal information,” which is too long to reasonably quote. But, of all the bills we have looked at thus far, this is the most comprehensive definition, and because this list is presented as “examples,” it may follow that the regulations to be promulgated could include other personal information that is to be protected and secured.
There are incentives in the bill to de-identify data, and what shall be deemed de-identified “is “information that cannot reasonably identify, relate to, describe, or be capable of being associated with or linked to, directly or indirectly, a particular individual.” In terms of the policy backdrop, this incentive structure seems designed to drive covered entities to make data less valuable over time to hackers but also prevent future uses contrary to the original purpose of the data collection.
However, the FTC is empowered to grant specific exemptions to the requirement that consumers must affirmatively and knowingly opt-in to the collection and use of their personal information on the basis of any privacy risks posed by how the covered entity is using the data, the costs and benefits of applying these requirements, and the extent to which the personal information is necessary to and used for the security of the covered entity, consistent with the service of product provided, and de-identified, among other considerations. Any exempted entities must be listed on the FTC’s website along with a “brief justification” as to why the entity was exempted.
The FTC would be empowered to police a vast range of practices of covered entities related to the collection and use of personal information. However, a few definitions worth mentioning regarding this part of the “Privacy Bill of Rights.”
A “breach of security” is “any instance in which a person, without authorization or in violation of any authorization provided to the person, gains access to, uses, or discloses personal information.” This definition covers the expected situation of a hacker somewhere getting into a system or information he has no authorization to access. However, it also covers situations where a person is accessing information “in violation of the authorization” granted to a person or organization. Consequently, if an organization that has authorization to hold and use my personal information on my baseball card collection but not to share subsequently sends this information to a data broker, this would be a breach of security.
Additionally, the “Privacy Bill of Rights” defines the word “disclose” in sweeping fashion, meaning “to disclose, release, transfer, share, disseminate, make available, or otherwise communicate orally, in writing, electronically, or by any other means to any third party.” It is hard to conceive of a means to share or transmit information to a third party not covered by this definition.
Covered entities must obtain opt-in approval from a person before any collection or sharing of that person’s data may happen. The bill defines opt-in approval as “affirmative, express consent of an individual for a covered entity to use, disclose, or permit access to the individual’s personal information after the individual has received explicit notification of the request of the covered entity with respect to that information.” The FTC will promulgate regulations to “require a covered entity to obtain opt-in approval from an individual to—
(1) collect, use, retain, share, or sell the individual’s personal information; or
(2) make any material changes in the collection, use, retention, sharing, or sale of the individual’s personal information.”
Additionally, “[a]n individual shall have the right to withdraw his or her approval at any time.” However, under specified “emergency or exigent circumstances,” a covered entity would not need opt-in approval to collect, use or share personal information, and these include where “the covered entity, in good faith, believes danger of death or serious physical injury to any individual requires use, access, or disclosure without delay of personal information relating to the emergency.”
The bill lays out a very robust list of information consumers must be given notice of “a short-form notice about the collection, retention, use, and sharing of the personal information of individuals by the covered entity” that includes:
- What personal information is being collected, used, or retained
- How this personal information is collected, and how, and for what purpose, it is being sold, shared, used, retained, or collected
- Third parties with whom the information is sold, shared, or leased and for what purpose
- How a person can access, correct, delete, or request the personal information held by the covered entity
- Any offline practices for collecting information not related to the online behavior of a person; and
- The right of a person to opt-in or withdraw approval for the collection and use of personal information.
The FTC will also promulgate regulations to govern the “unexpected” collection or use of personal information. In these situations, covered entities must provide the same notice as under normal circumstances, including the option to opt-in and would also have a responsibility to inform the consumer of any material changes in the same way as for normal collection and use practices. Covered entities would be barred from collecting any personal information not listed in the notice and must provide new notice each time the universe of data they collect changes. Likewise, the same applies to the purposes for which personal information is used. Covered entities would be excused from these requirements if the collection and use of personal information
- “is necessary for the performance of a contract to which the individual is party;
- consists of actions that an individual would consider necessary in order to provide a requested product or service; or
- consists of actions taken at the request of the individual prior to entering into a contract to which the individual is party.”
Covered entities must allow consumers a reasonable opportunity and process to access, correct, delete, and obtain their personal information. Moreover, covered entities would have a duty to provide a description of the information being held, when the collection of information began, for how long the information will be retained, and the third parties with whom the information has been shared. There are a number of exceptions to the requirement that a covered entity delete personal data upon request, including:
- If the personal information is needed to secure the covered entity’s system
- To exercise the free speech rights of the consumer or another person
- To comply with federal statutes on electronic communications surveillance
Covered entities must also “inform any entity with which the covered entity has shared, sold, or disclosed an individual’s personal information of any request from the individual for confirmation of, access to, correction of, or deletion of the individual’s personal information.” Likewise, a covered entity would need to comply with a consumer’s request if it is conveyed by another covered entity. Additionally, “[a] covered entity may not de-identify an individual’s personal information during the 90-day period beginning on the date on which the covered entity receives a request from the individual for confirmation, access, correction, or deletion of the individual’s personal information.” The FTC is also charged with promulgating regulations for these processes.
Covered entities must “ensure that personal information that has been de-identified is not restored such that the information can be linked to a specific individual or device,” and the FTC’s regulations would include this duty.
Covered entities may neither pose consumers with take-it-or-leave-it offers nor may they offer financial incentives for consumers to opt-in to data collection and use. Unlike some of the other bills we have analyzed, the Privacy Bill of Rights forbids covered entities from denying service to consumers who do not opt-in to “the collection, use, retention, sharing, or sale of the individual’s personal information for commercial purposes” (aka a “take-it-or-leave-it-offer”). In the same vein, covered entities cannot offer people a discount or incentive to get them to opt-in. However, the FTC may determine that certain types of financial incentives are permissible if they “reasonable, just, and non-coercive.” One wonders what type of financial incentives would be greenlighted under an FTC that seeks to take a “light regulatory touch,” and there does not seem to be a means by which the FTC would be empowered to rescind such a determination.
S. 1214 would tightly circumscribe how an individual’s personal information may be disclosed by a covered entity to a third-party under a written contract. However, there are exceptions for covered entities sharing with third parties in response to a legal process such as a warrant or subpoena or in order to protect a person’s property or to address security or technical issues.
Section 11 of the bill details the practices that would be illegal under the “Privacy Bill of Rights.” Notably, covered entities would be prohibited from “selling, leasing, trading, or otherwise profiting from an individual’s biometric information.” If a covered entity obtains “specific consent” from a person, it may share, reshare, or otherwise disseminate an individual’s biometric information; however, specific consent would not be required if dissemination “is required by State or Federal law or municipal ordinance; or…is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.”
Likewise, S. 1214 outright bans a number of current practices that have been deemed “digital redlining” and others:
- processing personal information for the purpose of advertising, marketing, soliciting, offering, selling, leasing, licensing, renting, or otherwise commercially contracting for employment, finance, healthcare, credit, insurance, housing, or education opportunities, in a manner that discriminates against or otherwise makes the opportunity unavailable on the basis of a person’s or class of persons’ actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, biometric information, lawful source of income, or disability; or
- processing personal information in a manner that segregates, discriminates in, or otherwise makes unavailable the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation on the basis of a person’s or class of persons’ actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, or disability.
There are additional prohibitions on what covered entities may do with the personal information it collects. Section 12 bars collection data “beyond what is adequate, relevant, and necessary—
for the performance of a contract to which the individual is party;
to provide a requested product or service; or
to take steps at the request of the individual prior to entering into a contract to which the individual is party.”
Additionally, there would be limits on how long after a covered entity has finished using the information that it may access the information. Notably, 90 days after the latest of any of these dates, a covered entity would not able to access the information:
- the covered entity concludes the performance of a contract to which the individual is party;
- the covered entity concludes taking steps that an individual would consider necessary in order to provide a requested product or service, including steps to prevent fraud, ensure safety, or ensure compliance with the covered entity’s terms of service; or
- the individual otherwise terminates his or her relationship with the covered entity.”
Unlike a number of other bills, the “Privacy Bill of Rights,” the FTC would be required to promulgate data security regulations. Some Democratic stakeholders such as Senate Commerce, Science, and Transportation Committee Ranking Member Maria Cantwell (D-WA) would like any privacy bill to be paired data security legislation, for, in her view, the two issues are inseparably intertwined. The FTC would draft regulations “require a covered entity to establish and maintain reasonable data security practices to protect the confidentiality, integrity, and availability of personal information…that are proportional to the volume and nature of the personal information a covered entity collects.” This approach is not entirely alien with how the FTC currently approaches data security cases under its Section 5 powers to prohibit unfair and deceptive practices. Covered entities would be required to alert people in the event of a security breach if
- an unauthorized disclosure of the personal information of the individual has occurred; and
- harm is reasonably likely to occur
The FTC will likely wrestle with determining what constitutes when “harm is reasonably likely to occur,” and with what constitutes harm. Industry and many Republicans will probably argue that harm should be defined to be actual, concrete economic harm such as identity theft. This will matter, for if a security incident is defined so tightly as to be only cases of economic harm, then many breaches would likely go unreported. Also, there is no definite timeline in which consumers must be informed, which has been a subject of dispute when Congress was grappling with data security legislation for the better part of this decade. However, when a covered entity notifies a consumer of a breach, it must also give the individual the option to stop the collection, use, retention, sharing or selling of their personal information. Also, consumers must be allowed to require the covered entity to erase personal information, stop selling and sharing, provide a copy of information the covered entity holds, and close the account and terminate the relationship.
The FTC, state attorneys general, and consumers would all be authorized to bring actions in court for violations of the “Privacy Bill of Rights.” The FTC would be required to promulgate regulations that have been discussed at length within one year of enactment, and these regulations would need to take effect within 90 days after being finalized. So, realistically, the FTC would need to produce proposed regulations as quickly as six months after enactment to make the one-year deadline, but, as is customary there is no penalty for the agency missing the deadline. This may be a tall order for the agency given the size of its staff dedicated to privacy and data security issues, many of whom work on the enforcement side, and the resources the agency is provided annually.
Like other privacy bills, the FTC would treat all privacy violations as “a violation of a rule defining an unfair or deceptive act or practice,” allowing the agency to seek civil fines of about $42,000 per violation in court as part of its immediate enforcement action. The suite of other enforcement powers would also be available to the FTC including injunctive relief. And, yet, unlike other bills but like Gramm-Leach-Bliley, regulators other than the FTC would be empowered to police violations for their regulators. For example, the federal banking agencies would regulate their sectors of the banking industry.
As mentioned, state attorneys general may enforce the act unless the FTC is already acting. Any actions arising from state laws must be paused until the FTC completes action if both arise from a common set of facts. Notably, this bill does not explicitly preempt state privacy and data security laws. However, under the Constitutional regime of preemption, it is not entirely clear if the “Privacy Bill of Rights” would implicitly preempt state laws, which might be acceptable to privacy and other advocates who may well see this bill as stronger than the “California Consumer Privacy Act” (CCPA) (AB 375).
The bill permits a consumer to sue a covered entity for a violation, a feature rarely included in privacy legislation. An individual could sue in any court of competent jurisdiction, the bill stipulates that “[a] violation of this Act or a regulation promulgated under this Act with respect to the personal information of an individual constitutes an injury in fact to that individual.” The latter provision would get consumers over a hurdle they frequently face when they sue regarding data or privacy violations: what is considered an injury necessary to allow a suit proceed. Plaintiffs could seek any of this relief:
(1) actual damages;
(2) punitive damages;
(3) reasonable attorney’s fees and costs; and
(4) any other relief, including an injunction, that the court determines appropriate.
Additionally, pre-dispute arbitration agreements shall be null and void as a party to such an agreement will not be able to enforce one, and the court, and not an arbitrator, will determine how this section applies.
Finally, the “Privacy Bill of Rights” would not modify, change, or impinge any other existing privacy laws such Gramm-Leach-Bliley, the Health Insurance Portability and Accountability Act of 1996, the Fair Credit Reporting Act, and others.