The majority staff of the Senate Commerce Committee circulated the “United States Consumer Data Privacy Act of 2019” (CDPA), a draft data privacy bill days after Ranking Member Maria Cantwell (D-WA) and her cosponsors released the “Consumer Online Privacy Rights Act“ (COPRA) (S.2968) (See here for more analysis). Of course, these competing proposals came before the Senate Commerce, Science, and Transportation Committee’s hearing on legislative proposals on privacy.
In the main, this bill shares the same framework with COPRA with some key, significant differences, including:
- COPRA expands the FTC’s jurisdiction in policing privacy harms whereas CDPA would not
- COPRA places a duty of loyalty on covered entities to people whose covered data they process or transfer; CDPA does not have any such duty
- CDPA does not allow people to sue if covered entities violate the new federal privacy and security regime; COPRA would allow such suits to move forward
- CDPA preempts state privacy and data security laws; COPRA would establish a federal floor that states like California would be able to legislate on top of
- CDPA would take effect two years after enactment, and COPRA would take effect six months after enactment.
- The bar against a person waiving her privacy rights under COPRA is much broader than CDPA
- COPRA would empower the FTC to punish discriminatory data processing and transfers; CDPA would require the FTC to refer these offenses to the appropriate federal and state agencies
- CDPA revives a concept from the Obama Administration’s 2015 data privacy bill by allowing organizations and entities to create standards or codes of conduct and allowing those entities in compliance with these standards or codes to be deemed in compliance with CDPA subject to FTC oversight; COPRA does not have any such provision
- COPRA would require covered entities to conduct algorithmic decision-making impact assessments to determine if these processes are fair, accurate, and unbiased; no such requirement is found in CDPA
However, as noted the basic framework both bills create in establishing a federal privacy and data security regime are similar. Broadly, people would receive new rights, largely premised on being accurately informed of how their personal data would be used by covered entities. However, people would need to affirmatively consent before such data processing and transfers could occur.
The bills have similar definitions of what data is covered, what constitutes sensitive covered data, and the entities covered by the bill. Among the key similarities are:
- Both bills would require affirmative express consent for a range of data processing and transferring with COPRA requiring this sort of consent under more circumstances
- Like COPRA, CDPA marries data security requirements to privacy requirements; however, both COPRA and CDPA would deem entities already in compliance with a number of existing federal laws (e.g. Gramm-Leach-Bliley and HIPPA) to be in compliance with their data security requirements, and yet language in both bills suggests that to the extent that these federal standards fall short of the new data security standards, these entities would need to meet additional requirements
- Both bills would allow people to request a copy of their covered data being held by a covered entity, delete or de-identify covered data, to correct or complete such data, and to port their data to another covered entity; however, COPRA would provide additional rights such as the aforementioned duty of loyalty and a right to opt-out of transfers
- COPRA and CDPA would provide additional authority for the FTC to police data security with COPRA giving the agency broad authority to promulgate regulations and providing more descriptive guidance on how to do so with CDPA provided very targeted rulemaking authority that would likely continue the current case-by-case enforcement regime at the FTC
- The FTC could seek civil fines in the first instance of $42,530 per violation along with the current range of equitable and injunctive relief it can seek under both COPRA and CDPA
- Both bills allow state attorneys general could seek the same relief in the event of alleged violations
Separately from the release of this draft, Chair Roger Wicker (R-MS) said he was willing to allow a limited right for people to sue under a federal privacy bill but only to obtain injunctive relief and not monetary damages. This is a significant concession, for Republicans, including Wicker, have long characterized a private right of action as being out of the question. Of course, Wicker does not speak for other Republicans on the committee nor those in the Senate, so it is not exactly clear how much support he has for such a proposal. In the same vein, Wicker remarked to the media that the other main sticking points with Cantwell are on preemption and on a duty of loyalty. However, he may have been making this statement with some optimism for there are other, significant differences between these two bills, suggesting more negotiating is in order.
Also, it has been reported that Senators Richard Blumenthal (D-CT) and Jerry Moran (R-KS) are still working on their privacy bill but are not yet ready to release bill text. It is possible the release of these two bills speeds them to completion on the draft so they can lay down their marker.
However, turning to the substance of the bill, let’s start, as always, with definitions. Covered entities are “any person who operates in or affects interstate or foreign commerce,” which is a very broad definition that would sweep almost every entity in the U.S. and some overseas into it.
Covered data is defined as “information that identifies or is linked or reasonably linkable to an individual or a device that is linked or reasonably linkable to an individual.” The bill further provides “information held by a covered entity is linked or reasonably linkable to an individual if, as a practical matter, it can be used on its own or in combination with other information held by, or readily accessible to, the covered entity to identify the individual or a device associated with that individual.” However, covered data does not include: aggregated data; de-identified data; employee data; or publicly available information. Aggregated data is a new term among the privacy bills we’ve looked at thus far and is “information that relates to a group or category of individuals or devices that does not identify and is not linked or reasonably linkable to any individual.”
“Sensitive covered data” “means any of the following forms of covered data of an individual” including but not limited to:
- A unique, government-issued identifier, such as a Social Security number, passport number, or driver’s license number.
- Any covered data that describes or reveals the diagnosis or treatment of past, present, or future physical health, mental health, or disability of an individual.
- A financial account number, debit card number, credit card number, or any required security or access code, password, or credentials allowing access to any such account.
- Covered data that is biometric information.
- Precise geolocation information capable of determining with reasonable specificity the past or present actual physical location of an individual or device at a specific point in time.
- The contents of an individual’s private communications or the identity of the parties subject to such communications, unless the covered entity is the intended recipient of the communication;
- Covered data revealing an individual’s racial or ethnic origin, or religion in a manner inconsistent with the individual’s reasonable expectation regarding the processing or transfer of such information.
- Covered data revealing the sexual orientation or sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation regarding the processing or transfer of such information.
- Covered data about the online activities of an individual that relate to a category of covered data described in another subparagraph of this paragraph.
- Covered data that is calendar information, address book information, phone or text logs, photos, or videos maintained on an individual’s device.
- Any other category of covered data designated by the Commission pursuant to a rulemaking under [Administrative Procedure Act] if the Commission determines that the processing or transfer of covered data in such category in a manner that is inconsistent with the reasonable expectations of an individual would be likely to be highly offensive to a reasonable individual.
This is a fairly comprehensive list of covered data that would be considered sensitive.
Additionally, the FTC would be allowed to add other types of data if the agency goes through a rulemaking, providing flexibility and allowing the agency to address any future, unforeseen uses of personal data.
De-identified data is “information held by a covered entity that…does not identify, and is not linked or reasonably linkable to an individual or device” only if the covered entity publicly commits not to not re-identify the person or device. The covered entity would also need to put in place technical and organizational procedures to stop any possible linkage. Additionally, covered entities may not disclose de-identified data to any other entities without a contract or legal instrument barring the re-identification of the data.
CDPA defines affirmative express consent as “upon being presented with a clear and conspicuous description of an act or practice for which consent is sought, an affirmative act by the individual clearly communicating the individual’s authorization for the act or practice.”
The CDPA requires covered entities to fulfill the requests of people to access, correct, complete, delete or port their covered data within 45 days after receiving a verified request. However, a person may not request to access their covered data more than two times in a 12-month period, and for any additional requests, covered entities may charge a fee for such access. Of course, if a covered entity cannot verify the identity of the requester, then it does not need to meet the request. A covered entity may also deny a request if it would require the maintenance of information solely to fulfill the request, it is impossible or demonstrably impracticable to comply, or it necessitates the re-identification of de-identified data. The CDPA stipulates that none of these rights of obligations may be waived by a person in an agreement between a covered entity and a person. The FTC must promulgate regulations under the APA to implement this section.
Regarding the right to access one’s covered data, a covered entity must either provide the covered data or “an accurate representation” that is processed, any purposes for which such covered data is transferred, and a list of any third parties or service providers who have received covered data. A person has the right to request that a covered entity “correct inaccuracies or incomplete information with respect to the covered data of the individual that is processed by the covered entity; and notify any service provider or third party to which the covered entity transferred such covered data of the corrected information.” A person may also ask that a covered entity delete or de-identify any covered data the covered entity is processing and alert any third parties or service providers the covered entity has transferred the person’s covered data to. Finally, subject to technical feasibility, covered entities must generally provide covered data “in a portable, structured, standards-based, interoperable, and machine-readable format that is not subject to licensing restrictions.”
In regard to sensitive covered data, a covered entity must obtain affirmative express consent before it can process this subset of covered data or transfer it to a third party. This section also details how covered entities are to obtain affirmative express consent. People must be provided with notice that
- includes a description of the processing purpose for which consent is sought;
- clearly identifies and distinguishes between a processing purpose that is necessary to fulfill a request made by the individual and a processing purpose that is not necessary to fulfill a request made by the individual;
- includes a prominent heading that would enable a reasonable individual to easily identify the processing purpose for which consent is sought; and
- clearly explains the individual’s right to provide or withhold consent.
Covered entities will not be able to infer consent if a person does not act or in his continued use of the covered entity’s services or products. Moreover, a person must be presented “with a clear and conspicuous means to withdraw affirmative express consent.”
The language on the consent related to the sensitive covered data of minors is a bit confusing. Parents will be able to consent on behalf of their minor children in the same manner as they may consent for themselves (i.e. affirmative express consent). And yet, covered entities may not transfer the sensitive covered data of those 16 and younger to a third party if there is actual knowledge of the person’s age and unless the individual consents or her parent does.
Generally, covered entities must minimize how they collect, process, or share covered data to what is necessary for that purpose. Specifically, covered entities “shall not collect, process, or transfer covered data beyond
- what is reasonably necessary, proportionate, and limited to provide or improve a product, service, or a communication about a product or service, including what is reasonably necessary, proportionate, and limited to provide a product or service specifically requested by an individual or reasonably anticipated within the context of the covered entity’s ongoing relationship with an individual;
- what is expressly permitted by this Act or any other applicable Federal law.
There are exceptions to the rights granted to people just like all the other data privacy bills, which we will turn to momentarily. However, this section requires a bit of elaboration. The FTC will undoubtedly need to determine the broad strokes of what is “necessary, proportionate, and limited” in the different contexts that clause if used. And, yet the FTC is not broadly granted rulemaking authority under the APA to implement the CDPA, and so the agency would probably need to hash out these terms through the “common law” it is currently using to forge the federal data security and privacy regime. And, this may be the case even though the agency is required to issue guidelines recommending best practices for covered entities to minimize the collection, processing, and transfer of covered data in accordance with this section” within one year of enactment. Such guidelines will, of course, inform covered entities of the agency’s thinking, but the “necessary, proportionate, and limited” formulation may present a number of close cases that may be adjudicated by courts and/or the FTC.
CDPA lays out the rights, responsibilities, and roles of service providers and third parties under the new federal privacy regime. However, as always, let’s look at who would qualify as either. First service providers would be “with respect to a set of covered data, a covered entity that processes or transfers such covered data for the purpose of performing 1 or more services or functions on behalf of, and at the direction of, another covered entity that” is not a part of that covered entity. Third parties are those entities that are not service providers that receive covered data and, again, are not owned or affiliated with the covered entity. There are also definitions of “service provider data” and “third party data.” Regarding the former, it shall be those data that service providers are given by covered entities or those covered data the service provider collects on behalf of the covered entity and then processed or transferred per the covered entity’s instructions or direction. This could be firms that have dedicated services for processing covered data, possibly even data brokers. Third party data shall be those covered data that are not service provider data that are received from a covered entity. For example, BestBuy transferring covered data with the proper consent to Walmart would make the latter a third party and those covered data are third party data.
The Act stipulates that service providers may process “service provider data” only at the direction of the covered entity that provided the data and may not undertake any additional processing sua sponte. Likewise, the service provider may not transfer service provider data to third parties without the covered entity having obtained affirmative express consent in the first instance. What’s more service providers must delete and deidentify these data as soon as possible after the agreed upon processing has occurred or as soon after the completion of processing as is practicable.
Service providers do not need to respond to a person’s request to access, correct, complete, delete, or port covered data, but they must help covered entities fulfill these requests to the degree possible and upon being notified, they must comply with the request a person has made of a covered entity. However, service providers do not need to get affirmative express consent from consumers to transfer their sensitive covered data to third parties. Nor need service providers minimize covered data. So, it would appear that once a person provides a covered entity the necessary consent to process or transfer their sensitive covered data, then this subset of covered data may be transferred onward or processed by a third party. Additionally, it appears covered entities could transfer sensitive covered data to service providers without the affirmative express consent of a people, and then service providers appear free to process such data and to transfer it onward. However, the definition of “process” may weigh against such a reading, for it covers retention and handling of covered data, so perhaps this scenario is contrary to the constraints placed on covered entities.
Third parties “shall not process third party data for a processing purpose inconsistent with the reasonable expectation of the individual to whom such data relates.” Additionally, third parties “may reasonably rely on representations made by the covered entity that transferred third party data regarding the reasonable expectations of individuals to whom such data relates, provided that the third party conducts reasonable due diligence on the representations of the covered entity and finds those representations to be credible.” And, like service providers third parties do not need to respond to a person’s request to access, correct, complete, delete, or port covered data nor minimize data retention.
Nonetheless, covered entities must exercise reasonable due diligence in selecting a service provider or transferring covered data to a third party in order to ensure compliance with the CDPA.
A subset of covered entities would need to meet other requirements. “Large data holders” “shall conduct a privacy impact assessment that weighs the benefits of the covered entity’s covered data collection, processing, and transfer practices against the potential adverse consequences to individual privacy of such practices.” Those covered entities that are large data holders are those that “processed or transferred the covered data of more than 5,000,000 individuals or devices that are linked or reasonably linkable to such individuals” or “processed or transferred the sensitive covered data of more than 100,000 individuals or devices that linked or reasonably linkable to such individuals (excluding any instance where the covered entity processes the log-in information of an individual or device to allow the individual or device to log in to an account administered by the covered entity).” Covered entities would need to determine annually if they have passed either threshold and have become a large data holder that needs to conduct an annual privacy impact assessment. Thereafter, these assessments would need to be conducted every two years and would need to be approved by the entity’s privacy officer.
Like the other privacy bills, there are circumstances under which covered entities may disregard some of the responsibilities to people. In terms of exceptions to the general rights laid out for people, “a covered entity may collect, process or transfer covered data for any of the following purposes, provided that the collection, processing, or transfer is reasonably necessary, proportionate, and limited to such purpose:
- To complete a transaction or fulfilling an order or service specifically requested by an individual, including associated routine administrative activities such as billing, shipping, and accounting.
- To perform internal system maintenance and network management.
- Subject to [language governing biometrics], to detect or respond to a security incident, provide a secure environment, or maintain the safety of a product or service.
- Subject to [language governing biometrics], to protect against malicious, deceptive, fraudulent, or illegal activity.
- To comply with a legal obligation or the establishment, exercise, or defense of legal claims.
- To prevent an individual from suffering serious harm where the covered entity believes in good faith that the individual is at risk of death or serious physical injury.
- To effectuate a product recall pursuant to Federal or State law.
- To conduct internal research to improve, repair, or develop products, services, or technology.
- To engage in an act or practice that is fair use under copyright law.
- To conduct a public or peer-reviewed scientific, historical, or statistical research that—
- is in the public interest;
- adheres to all applicable ethics and privacy laws; and
- is approved, monitored, and governed by an institutional review board or other oversight entity that meets standards promulgated by the Commission pursuant to [the Administrative Procedure Act]
As noted earlier, covered entities may “not process or transfer covered data of an individual that is biometric information” “to detect or respond to a security incident, provide a secure environment, or maintain the safety of a product or service” or “to protect against malicious, deceptive, fraudulent, or illegal activity” unless “these activities are “limited to real-time or short-term processing” and comply with to-be-promulgated FTC regulations. There is the further stipulation that “the covered entity does not transfer such information to a third party other than to comply with a legal obligation or to establish, exercise, or defend a legal claim.”
Small businesses would be provided with a limited carve out under the CDPA from heeding requests to access, correct, complete, delete, or port covered data and from the data minimization requirements binding on other covered entities. Such exempted small businesses would be those whose gross annual revenues for the preceding three years is $25 million or less, processing of covered data did not exceed more than 100,000 people or devices, and whose revenue from transferring covered data was less than 50% of its annual revenue.
Senate Commerce Republican staff have apparently acceded to Democratic insistence that data security be made part of a privacy bill as the CDPA contains such language. The bill provides generally that “[a] covered entity shall establish, implement, and maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security, and integrity of sensitive covered data.” These data security standards should be “appropriate to the size and complexity of the covered entity, the nature and scope of the covered entity’s collection or processing of sensitive covered data, the volume and nature of the sensitive covered data at issue, and the cost of available tools to improve security and reduce vulnerabilities.” These standards should be designed to
- identify and assess anticipated human and technical vulnerabilities to sensitive covered data;
- take preventative and corrective action to address anticipated and known vulnerabilities to sensitive covered data; and
- delete sensitive covered data after it is no longer needed for the purpose for which it was collected unless such retention is necessary to comply with a law.”
Theoretically, those covered entities processing and transferring sensitive covered data would need to implement more robust data security standards than covered entities just handling covered data.
The FTC may, but is not required to, promulgate regulations under the APA and must consult with the National Institute for Standards and Technology (NIST). However, the FTC must “issue guidance to covered entities on how to—
- identify and assess vulnerabilities to sensitive covered data, including—
- the potential for unauthorized access to sensitive covered data;
- human and technical vulnerabilities in the covered entity’s collection or processing of sensitive covered data;
- the management of access rights; and
- the use of service providers to process sensitive covered data; and
- take preventative and corrective action to address vulnerabilities to sensitive covered data.”
If the FTC chooses to skip regulations and instead issue guidance, covered entities might be wise to heed the FTC’s views in the latter document, but they would not be required to meet any articulated standards.
And yet, those covered entities in compliance with the “Financial Modernization Act of 1999” (P.L. 106-102) (aka Gramm-Leach-Bliley) and the “Health Insurance Portability and Accountability Act of 1996” (P.L. 104-191) (HIPAA), mainly financial services and healthcare entities respectively, would be deemed to be in compliance with the CDPA. However, this compliance would be only with respect to “information security requirements.” Additionally,
Covered entities must also designate privacy officers and data security officers that “shall be responsible for, at a minimum…coordinating the covered entity’s policies and practices regarding the processing of covered data; and…facilitating the covered entity’s compliance with this Act.” Furthermore, “[a] covered entity shall maintain internal controls and reporting structures to ensure that appropriate senior management officials of the covered entity are involved in assessing risks and making decisions that implicate compliance with this Act.” Those entities in compliance with a range of federal privacy regimes regarding “data collection, processing, or transfer activities” under those statutes would be deemed to be in compliance but only with respect to “the data collection, processing, or transfer activities governed by such laws.”
In terms of enforcing the CDPA, the FTC would be able to seek civil penalties in the first instance and common carriers and non-profits would be added to the universe of entities the FTC can police. Like COPRA, this bill would establish a “Data Privacy and Security Victims Relief Fund” in which the FTC shall deposit “any civil penalty obtained against any covered entity in any judicial or administrative action the Commission commences to enforce this Act or a regulation promulgated under this Act.” These FTC may use these funds “to provide redress, payments or compensation, or other monetary relief to individuals affected by an act or practice for which civil penalties have been imposed under this Act.”
State attorneys general may also bring actions to seek a range of remedies including to enjoin conduct in violation of the CDPA and to “obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the State.” If two or attorneys general file suit against the same covered entity for the same conduct, the cases would be combined in federal court in the District of Columbia. Moreover, the FTC may intervene in an action brought by a state attorney general, and if the FTC brings an action first, state attorneys general may not bring actions until the FTC’s action finishes.
The CDPA uses a concept from the Obama Administration’s “Consumer Privacy Bill of Rights Act of 2015:” the creation of voluntary codes that private entities may adhere to after the FTC has signed off on them. Accordingly, the FTC “may approve certification programs developed by 1 or more covered entities or associations representing categories of covered entities to create standards or codes of conduct regarding compliance with 1 or more provisions in this Act.” Consequently, “[a] covered entity that complies with a certification program approved by the Commission shall be deemed to be in compliance with the provisions of this Act addressed by such program.” However, “[a] covered entity that has certified compliance with an approved certification program and is found not to be in compliance with such program by the Commission shall be considered to be in violation of the section 5 of the Federal Trade Commission Act…prohibition on unfair or deceptive acts or practices.”
The CDPA would preempt state laws on privacy but not any such laws or provisions regarding data breach notification. The CDPA would take effect two years after enactment, allowing covered entities, the FTC and other time to get prepared for the new privacy standards.
The FTC would receive limited responsibility to address discriminatory data processing or transferring. Notably, if the agency receives credible evidence of possible violations of federal laws barring discrimination (e.g. the 1964 Civil Rights Act), it would not investigate and possibly bring an action. Rather, the FTC would transfer this information to federal or state regulators with explicit authority to regulate discrimination.
The FTC would need to use its current Section 6(b) authority to obtain information from entities to examine “the use of algorithms to process covered data in a manner that may violate Federal anti-discrimination laws.” The FTC would send out demands for information and entities must answer upon pain of potential penalties. The agency would need to publish a report on its findings within three years and then publish guidance “to assist covered entities in avoiding discriminatory use of algorithms.”
Additionally, within six months of enactment of the CDPA, the National Institute of Standards and Technology (NIST) “shall develop and publish a definition of “digital content forgery” and accompanying explanatory materials” and no later than one year after NIST’s report, the FTC must “publish a report regarding the impact of digital content forgeries on individuals and competition.” The FTC must update the report at least every two years or more frequently if necessary.
The CDPA lifts a structure from the “California Consumer Privacy Act” (CCPA) (AB 375) in setting up a regime for data brokers to annually register with the FTC. The data broker would need to provide contact information and pay a $100 fee. Failure to do so could result in a fine of $50 per day and no more than $10,000 per year. The FTC would then publish the registration information on its website.