Last week, we spent a bit of time looking at the “Privacy Bill of Rights Act” (S. 1214), the only bill to get an A in the Electronic Privacy Information Center’s report on privacy bills, and likely outside the realm of the politically possible at present. This week, we will examine Senator Catherine Cortez Masto’s (D-NV) “Digital Accountability and Transparency to Advance Privacy Act” (DATA Privacy Act) (S. 583). Of course, Cortez Masto served as the attorney general of Nevada for eight years prior to succeeding former Senator Harry Reid (D-NV), and this bill demonstrates her background as her state’s top prosecutor.
In terms of similarities to the other privacy bills, the Federal Trade Commission (FTC) would promulgate extensive regulations to effectuate a new federal privacy regime under the Administrative Procedure Act (APA) and would be able to punish privacy violations by seeking civil penalties in the first instance in a court action. Consumers would receive the right to opt-in and opt-out of certain data collection, processing, use, sharing, and selling practices conducted by entities.
State attorneys general would be able to bring actions under the new enforcement structure. Consumers would not be allowed to sue for violations of the new regime, which is aligned with a number of other bills.
Like the “Privacy Bill of Rights” (S. 1214), the DATA Privacy Act would rule out of bounds certain practices instead of going the route on enhanced notice and consent like many of the other bills do (i.e. once a consumer is informed of how an entity proposes to collect and use their data, almost any subsequent processing and use would be acceptable.)
In terms of the scope of the DATA Privacy Act, like the “Privacy Bill of Rights Act” (S. 1214), virtually all entities collecting, using and disclosing consumer information would be considered a “covered entity.” However, there would be an exception exempting entities that “collect[], process[], store[], or disclose[] covered data relating to fewer than 3,000 individuals and devices during any 12-month period.” “Covered data” is “any information that is—
- collected, processed, stored, or disclosed by a covered entity;
- collected over the internet or other digital network; and
- linked to an individual or device associated with an individual; or
- practicably linkable to an individual or device associated with an individual, including by combination with separate information, by the covered entity or any potential recipient of the data.”
This definition encompasses much of the current data ecosystem. Any information vacuumed up electronically that is or can be linked to a person or her device would be covered under the bill. However, employment data and government records made available to the public are not covered data.
The bill defines “privacy risk” to be the “potential harm to an individual resulting from the collection, processing, storage, or disclosure of covered data, including—
(A) direct or indirect financial loss;
(B) stigmatization or reputational harm;
(C) anxiety, embarrassment, fear, and other severe emotional trauma;
(D) loss of economic opportunity; or
(E) physical harm.”
If enacted, the FTC and courts may have difficulty in determining what exactly constitutes things like “stigmatization or reputational harm,” “anxiety, embarrassment, fear, and other severe emotional trauma,” or “loss of economic opportunity.” What turns out to be a “privacy risk” would likely be shaped on a case-by-case basis after FTC regulations speak to these concepts. Nonetheless, the DATA Privacy Act is one of the few bills that seeks to make what some might consider non-economic or non-tangible privacy injuries illegal conduct.
In terms of the personal information upon which consumers would gain new rights and protections, this bill introduced some new ways of looking at this concept, notably, the following terms:
- A “protected characteristic” is an “individual’s race, sex, gender, sexual orientation, nationality, religious belief, or political affiliation.”
- “pseudonymous data” are “covered data that may only be linked to the identity of an individual or the identity of a device associated with an individual if combined with separate information.”
- a “reasonable interest” means—
- a compelling business, operational, administrative, legal, or educational justification for the collection, processing, storage, or disclosure of covered data exists;
- the use of covered data is within the context of the relationship between the covered entity and the individual linked to the covered data; and
- the interest does not subject the individual to an unreasonable privacy risk.
- “sensitive data” are “any covered data relating to—
- the health, biologic, physiologic, biometric, sexual life, or genetic information of an individual; or
- the precise geolocation information of a device associated with an individual.
The FTC is given explicit authority to modify two of these definitions through the rulemaking authority granted the agency (i.e. “pseudonymous data” and “sensitive data”), suggesting the other definitions may not be changed.
Covered entities would need to “post in an accessible location a notice that is concise, in context, in easily understandable language, accurate, clear, timely, updated, uses visualizations where appropriate, conspicuous, and free of charge regarding the covered entity’s privacy practices.” This notice must inform consumers of “the methods necessary to exercise their rights” described elsewhere in the bill.
Within one year of enactment, the FTC must promulgate regulations that require covered entities “to implement, practice, and maintain certain data procedures and processes” subject to standards that are distinguishable from other privacy bills.
“[R]egarding the means by and purposes for which covered data is collected, processed, stored, and disclosed,” covered entities must engage in the following practices to detailed by FTC regulation:
- A covered entity’s collection, processing, storage, and disclosure of covered data must be in service of a reasonable interest of the covered entity, such as
- business, educational, and administrative operations that are relevant and appropriate to the context of the relationship between the covered entity and the individual linked to the covered data;
- relevant and appropriate product and service development and enhancement;
- preventing and detecting abuse, fraud, and other criminal activity;
- reasonable communications and marketing practices that follow best practices, rules, and ethical standards;
- engaging in scientific, medical, or statistical research that follows commonly accepted ethical standards; or
- any other purpose for which the Commission considers to be reasonable.
A few observations about a “reasonable interest.” First, the FTC can add to this this list, so it is not exhaustive, but those activities not listed here would be deemed unreasonable and therefore not allowed. For example, what might be considered unreasonable “communications and marketing practices”? Advertising by third parties unrelated to the consumer based on the information the covered entity gave or sold the third party? Presumably should this not expose a consumer to a “privacy risk,” then it may be permissible. Second, the FTC will need to define a reasonableness standard by which a “business” operation “relevant and appropriate to the context of the relationship between the covered entity and the individual linked to the covered data” may be determined acceptable under the bill. If a consumer is perusing Amazon’s website for books on substance abuse addiction and has granted the necessary permissions for the website to use such covered data to sell advertisements on its website aimed at this consumer regarding 12-step programs? Possibly not since this would be “sensitive information” that is protected at a different standard that “covered data.”
The bill introduces an equitable standard that would bar the collection, use, disclosure, or processing of covered data in a way that result in discrimination on the basis of a protected characteristic. Consequently, discriminatory targeted advertising practices, “price, service, or employment opportunity discrimination,” or any other practice the FTC thinks would result in discrimination on the basis of a protected characteristic would be disallowed. Incidentally, this standard would seem to place the FTC or state attorney general’s calculus on what constitutes discrimination on the disparate impact side of the issue as opposed to disparate treatment which usually requires an intent to discriminate. Consequently, Republican and industry stakeholders would likely object to these provisions.
Finally, a forthrightness standard would bar covered entities from a number of potentially deceptive practices, including using “inconspicuous recording or tracking devices and methods,” disclosing the contents of a private communication, methods of representations that are misleading, and anything else the FTC decides does not meet this standard.
But, then would not these practices also run afoul of Section 5 of the FTC Act; however, the FTC would not be able to ask a court for fines on the basis of Section 5 violations.
The DATA Privacy Act employs both opt-out and opt-in rights for consumers depending on the type of information in question. Consumers would be able to opt-out of collection, usage, processing, and disclosing “covered data linked to the individual.” However, the definition of “covered data” includes data that is both linked to an individual and information that can be reasonably be linked to an individual. This statement of the right to opt-out may be a bit muddled and in need of clarification. Is it all covered data or just the covered data that can be linked to a person?
And yet, consumers would need to express “affirmative, opt-in consent” in a number of situations:
before the covered entity collects or discloses sensitive data linked to the individual; or
before the covered entity collects, processes, stores, or discloses data for purposes which are outside the context of the relationship of the covered entity with the individual linked to the data, including—
the use of covered data beyond what is necessary to provide, improve, or market a good or service that the individual requests;
the processing or disclosure of covered data differs in material ways from the purposes described in the privacy policy that was in effect when the data was collected; and
any other purpose that Commission considers outside of context.
Again, the FTC would be given power to further define what data collection, usage, processing, or disclosure practices would require affirmative, opt-in consent. However, opt-in consent would allow covered entities to utilize a consumer’s data in many ways. Of course, a question lurking beneath all these enhanced notice and consent regimes is does a consumer’s consent make all data usage kosher?
Finally, covered entities would have the responsibility to minimize data including taking “reasonable measures to limit the collection, processing, storage, and disclosure of covered data to the amount that is necessary to carry out the purposes for which the data is collected; and…[storing] covered data only as long as is reasonably necessary to carry out the purposes for which the data was collected.”
However, the bill details circumstances under covered entities may dispense with the requirements relating to data security: if the limitations on the collection, processing, storage, or disclosure of covered data would—
- inhibit detection or prevention of a security risk or incident;
- risk the health, safety, or property of the covered entity or individual; or
- prevent compliance with an applicable law (including regulations) or legal process.
The FTC’s regulations would also need to include requirements on how covered entities must allow consumers to access, correct, delete, and obtain a portable version of covered data. However, “[i]f the covered data that an individual has requested processed…is pseudonymous data, a covered entity may decline the request if processing the request is not technically feasible.” And, this type of data are “covered data that may only be linked to the identity of an individual or the identity of a device associated with an individual if combined with separate information.” Moreover, a covered entity may not retaliate or discriminate against a consumer that avails herself of these rights by “denying goods or services to the individual;” “charging, or advertising, different prices or rates for goods or services;” or “providing different quality of goods or services.”
The DATA Privacy Act links privacy and data security legislation, a feature favored by Democrats more than Republicans. The FTC’s regulations would “require covered entities to establish and implement policies and procedures regarding information security practices for the treatment and protection of covered data.” Among the elements these new regulations must address “the level of identifiability of the covered data and the associated privacy risk…[and] the sensitivity of the covered data collected, processed, and stored and the associated privacy risk.” The FTC must also consider current “technological, administrative, and physical” safeguards, the costs of a covered entity implementing and maintaining and regularly reviewing safeguards. Finally, the FTC is required to weigh how regulations would affect small and medium-sized businesses.
As mentioned both the FTC and state attorneys general could enforce the new regime, and the FTC could intervene in any state action.
Michael Kans 