Senator Brian Schatz (D-HI) and his cosponsors have reintroduced a slightly changed version of the “Data Care Act” (S. 2961), a privacy bill that would impose upon many entities that collect and use the personal data of people a fiduciary duty of care. In December 2018, Schatz and his cosponsors introduced the “Data Care Act” (S. 3744) at a time when the Senate Commerce, Science, and Transportation Committee and other committees of jurisdiction had just begun examining the issues related to privacy in light of the recent passage of the “California Consumer Privacy Act” (CCPA) (A.B. 375). Fourteen other Democratic Senators joined Schatz, including presidential candidates Senators Michael Bennet (D-CO), Amy Klobuchar (D-MN) and Cory Booker (D-NJ). This bill took a novel approach to the issues presented by mass collection and processing ;personal data by extending the concept of fiduciary responsibility currently binding on health care professionals and attorneys with respect to the patients and clients’ information to “online service providers.” Most of the original cosponsors are again sponsoring this bill; however, no Republicans cosponsored the first or current iteration of the bill, suggesting the fiduciary framework is not appealing to Senate Republicans.
Of course, Schatz and Klobuchar are also sponsoring the “Consumer Online Privacy Rights Act” (COPRA) (S. 2968) (see here for more analysis) along with Senate Commerce, Science, and Transportation Committee Ranking Member Maria Cantwell (D-WA). COPRA that would empower the Federal Trade Commission (FTC) to police privacy and data security violations through augmented authority, not preempt state laws to the extent they provide greater protection, largely leave in place existing federal privacy statutes such as the “Financial Services Modernization Act of 1999” (aka Gramm-Leach-Bliley) and “Health Insurance Portability and Availability Act of 1996” (HIPAA), and allow individuals to sue.
Incidentally, Senator Ed Markey (D-MA) is also sponsoring both bills, and he has his own bill, the “Privacy Bill of Rights Act” (S. 1214), which was one of the only bill to get an A in the Electronic Privacy Information Center’s report on privacy bills. (See here for more analysis.) Finally, Klobuchar had also released a narrower bill with a Republican cosponsor, the “Social Media Privacy Protection and Consumer Rights Act of 2019” (S. 189), that would require major tech companies to give consumers an opportunity to opt in or opt out of the company’s data usage practices after offering enhanced notice of the practices for which the personal data may used. (See here for more analysis.)
And, Schatz has been in negotiations with other members of the Senate Commerce, Science, and Transportation Committee with the goal of developing a bipartisan bill to regulate privacy at a federal level. As discussed in past issues of the Technology Policy Update, stakeholders in both the House and Senate continue to negotiate privacy bills but significant disagreements have been reported regarding whether such a bill has a private right of action, preempts the CCPA and other state laws, and whether a new regime is primarily enhanced notice and consent or certain conduct would no longer be allowed amongst other issues.
Turning to the Data Care Act, this legislation was built on a concept fleshed out by law professor Jack Balkin in his article “Information Fiduciaries and the First Amendment“ that would place duties on companies collecting and using consumer data similar to those that lawyers and doctors must meet in how they handle client and patient information. Balkin explained that these so-called “information fiduciaries” should “have special duties to act in ways that do not harm the interests of the people whose information they collect, analyze, use, sell, and distribute.”
In short, under the “Data Care Act,” “online service providers” would be severely be limited on how they collect, share, and sell the personally identifiable information (PII) (known as “individual identifying data” in the bill), for these companies would need to treat their customers’ PII as privileged and deserving of a greater level of protection, much like the HIPAA regulations impose this standard on health care providers or bar associations’ rules on attorneys. What’s more, the scope of who is an online service provider would seem to encompass most consumer-facing companies doing business on the internet.
An “online service provider” is defined as an entity “engaged in interstate commerce over the internet or any other digital network; and in the course of business, collects individual identifying data about end users, including in a manner that is incidental to the business conducted.” This very sweeping definition would cover almost any business or entity doing business in the U.S. even if it is not across state lines as the Supreme Court has often construed the Commerce Clause. However, unlike other bills, the FTC would have the discretionary authority to exclude categories of online service providers from the fiduciary duties the bill would otherwise impose. Normally, the other privacy bills create a threshold below which limited obligations attach for smaller and mid-sized businesses except for data brokers. The FTC is directed to consider the privacy risks posed by the category of online service provider.
The bill requires that “[a]n online service provider shall fulfill the duties of care, loyalty, and confidentiality” towards consumers’ personal information, which is also broadly defined in the bill. The duty of care requires online service providers to “reasonably” safeguard “individual identifying data” from unauthorized access and notify consumers of any breach of this duty, subject to FTC regulations that would be promulgated. The duty of loyalty would require online service providers to not use the information in a way that benefits them to the detriment of consumers, including uses that would result in reasonably foreseeable material physical or financial harm to the consumer. Finally, the duty of confidentiality limits the disclosure or sale of consumers’ information to instances where the duties of care and loyalty are observed (i.e. when the information must be safeguarded and not used to the detriment of consumers).
Moreover, the bill would require that should an online service provider wish to share or sell consumers’ information with a third party, they would need to enter into a contract with the other party that requires them to meet the same duties of care, loyalty, and confidentiality. The revised bill further tightens this requirement by stipulating that “If an online service provider transfers or otherwise provides access to individual identifying data to another person, the requirements of [the duties of loyalty, care, and confidentiality] shall apply to such person with respect to such data in the same manner that such requirements apply to the online service provider.” Note that this additional requirement pertains to the transfer of PII to any person and not just other online service providers, meaning virtually any transfer would be captured by this standard and thus a potential loophole in the bill was closed.
The FTC would enforce the act and would have the authority to levy fines in the first instance for violations, but state attorneys general would also be able to bring actions for violations in the event the FTC does not act or after FTC action. This latter power has long been a Democratic priority in the realm of data security and may be a non-starter with Republicans. Moreover, the bill does not preempt state laws, meaning the FTC could investigate a violation under this act and states could investigate under their laws. The FTC would be given authority under the Administrative Procedure Act (APA) to promulgate regulations regarding data breach notification instead of the much more onerous Moss-Magnuson rulemaking procedures the FTC must otherwise use. These regulations include the aforementioned regulations on breach notification, some possible exemptions to the duties that would otherwise apply to online service providers (e.g. small companies) but also more broadly . The bill expands the FTC’s jurisdiction over non-profit entities and common carriers that may also be online service providers.
There is no private right of action like many of the Democratic bills, which would disappoint many stakeholders on the left but would conversely please many industry and Republican stakeholders. Nor would people have the explicit right to access, correct, delete, or port their information as they would in other bills; and yet, the fiduciary concept would necessarily entail some of these rights. There are no provisions on obtaining a person’s consent, for the onus is entirely on how the covered entity handles the information. In short, this seems to be a framework that would sidestep issues related to notice and consent regimes. Additionally, unlike almost all the other bills, there are not detailed exceptions under which a person’s consent would not be needed to collect and process information (e.g. for security processes, to protect against fraud, or to develop new products.)