House Energy and Commerce Releases Privacy Discussion Draft

As rumored, in mid-December, the House Energy and Commerce Committee has released its privacy discussion draft that is the result of a bipartisan effort led by Consumer Protection & Commerce Subcommittee Chair Jan Schakowsky (D-IL) and Ranking Member Cathy McMorris Rodgers (R-WA). The subcommittee is sharing this draft with stakeholders and is asking for feedback by January 24 according to media accounts. However, the discussion draft includes a number of key sections in brackets, indicating areas still under discussion, chief among them: state preemption, a private right of action – two sticking points that have bedeviled the crafting of bipartisan legislation thus far. Still, there seems to be broad agreement on much of the structure of a bill with the Federal Trade Commission (FTC) being the primary enforcer and being granted rulemaking authority to implement the new regime.

Entities covered by the new bill are those already subject to FTC jurisdiction plus common carriers and non-profits. The personal information subject to the bill is “any information about an individual possessed by a covered entity that is linked or reasonably linkable to a specific individual [or consumer device;].”

The FTC must promulgate regulations that “require each covered entity to establish and implement reasonable policies, practices, and procedures regarding the processing of covered information.” Such privacy policies should be designed to

• comply with applicable privacy laws;
• consider the mitigation of privacy risks throughout every stage of the covered entity’s products and services, including their design, development, launch, and implementation; and
• implement reasonable training and safeguards within the covered entity to promote compliance with all privacy laws applicable to covered information the covered entity processes and mitigate privacy risks;

The privacy policy must “publicly available at all times and in a machine-readable format…in a manner that is clear, easily understood, and written in plain and concise language.”

A person could ask and receive an answer as to whether a covered entity is processing her information. In the same vein, a person could also access his personal information held by the covered entity, the categories of personal information processed, any sources from which this personal information was collected, and other details. People would have the right to correct personal information held by a covered entity. Entities with more than $250 million in revenue and that process the personal information of more than 10,000 people a year would need to meet additional requests. People could also ask a covered entity to delete covered information.

The bill limits data retention. Generally, “a covered entity shall not keep, retain, or otherwise store covered information for longer than is reasonably necessary for the purposes for which the covered information is processed” subject to a number of exceptions, including complying with legal requirements, for security purposes, preventing risks to health and safety, and other reasons.

There are detailed limits on the processing of personal information obtained by a covered entity, and the FTC would be required to promulgate regulations fleshing them out. Generally, processing may not occur without the consent of a person but “[c]onsent for the processing of covered information is implied to the extent the processing is consistent with the reasonable consumer expectations within the context of the interaction between the covered entity and the individual.” There is bracketed language on allowing people to opt out of first party marketing. However, for any data processing that is not consistent with a reasonable person’s expectations would require affirmative, express consent, and the FTC would need to promulgate regulations to spell out what constitutes affirmative express consent. Certain data processing would be prohibited, principally obtaining consent under false pretenses. Some covered information may not be processed, subject to certain exceptions, including biometric information, health information, geolocation information, and other specified types.

The FTC would promulgate regulations that would spell out the requirements covered entities and processors must enshrine in agreements in disclosing and processing personal information. Moreover, “[a] covered entity shall not disclose covered information to a third party unless the covered entity obtains prior express, affirmative consent of the individual to whom the covered information pertains.”

The FTC will conduct a notice and comment rulemaking to set data security standards for covered entities. Within one year of enactment, the FTC “shall require each covered entity and processor to implement and maintain reasonable administrative, technical, and physical security measures, policies, practices, and procedures to protect and secure covered information against unauthorized access and acquisition.” These standards will be geared to the activities, sensitivity of the data being held and processed, the cost of implementing safeguards, and the current available safeguards. However, this legislative direction to the FTC is “limited to the provisions included in this section.” In the event of a breach, a covered entity must notify the FTC and submit its security policies which shall be exempted from FOIA requests.

The bill bans take-it-or-leave consent arrangements or financial incentives for agreeing to data processing. Specifically, “[a] covered entity shall not condition the provision of a product or service or the quality of customer experience to any individual on an individual’s agreement to waive any rights guaranteed by this Act [or to the individual’s consent to the processing of the individual’s covered information other than information necessary to provide the product or service].” Note the brackets in the original text, suggesting the final clause in the provision is subject to final negotiation. Likewise, a covered entity may not offer “a financial incentive in exchange for an individual’s agreement to waive any rights guaranteed by this Act [or to the individual’s consent to the processing of the individual’s covered information other than information necessary to provide the product or service].”

The bill would make it unlawful “for any covered entity to process covered information…in a manner that discriminates against or makes an economic opportunity unavailable or offered on different terms, on the basis of a person’s or class of persons’ race, color, religion, national origin, sex, age, or disability” concerning a range of areas, including housing, employment, credit, insurance, and others. It shall also be unlawful “for a covered entity to process covered information in a manner that segregates, discriminates in, or otherwise makes unavailable the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation on the basis of a person’s or class of persons’ race, color, religion, national origin, sex, age, or disability.” Additionally, the burden of proving such discrimination would be shifted to covered entities in that they would need to prove their processing is not discriminatory.

Smaller covered entities may be able to use “self-regulatory guidelines governing the processing of covered information by a covered entity” approved and monitored by the FTC. Eligible entities include those with $25 million or less in annual revenue, that process 50,000 or fewer people’s personal information a year, and that derive 50% of less of their revenue from selling personal information. The FTC must approve any such guidelines before use and any future modifications and may withdraw approval if the guidelines no longer adhere to the Act.

Information brokers would need to identify themselves as such on their websites and register with the FTC.

The FTC would need to establish a Bureau of Privacy to enforce this Act and all other data security and privacy laws within the FTC’s purview, including Section 5 of the FTC Act and COPPA. The FTC would be able to fine covered entities for violations in the first instance of up to more than $42,000 per violation. The FTC would be free to seek all the current relief it can under Section 5, including injunctions, restitution, disgorgement of ill-gotten gains, and other types of remedies. There is language in brackets that would cap civil penalties, but that would seem to be an item under discussion. State attorneys general would also be able to bring actions and seek all the relief the FTC can, and there is a subsection title in brackets, A Private Right of Action, with no provisions, which is not surprising given the opposition of Republicans to such a means of relief. Similarly, there is a title with no language regarding state preemption.

© Michael Kans and Michael Kans Blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans and Michael Kans Blog with appropriate and specific direction to the original content.