The BROWSER Act (S. 1116)

CCPA, Cybersecurity, data security, FTC, GDPR, privacy, Privacy Bill 7 Minutes

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 here.

My apologies. I thought I had posted this write up and others on the various privacy and data protection bills. In any event, I’ll be doing some remedial work of a sort in putting these materials up, which is not to say I see any great movement on Congress passing a U.S. privacy and data protection bill.

In this post, we will examine one of the Senate bills sponsored by Senators Marsha Blackburn (R-TN), Tammy Duckworth (D-IL), and Martha McSally (R-AZ): the “Balancing the Rights Of Web Surfers Equally and Responsibly Act of 2019” (BROWSER Act) (S. 1116). S. 1116 would set up an enhanced notice and consent regime for consumers policed by the Federal Trade Commission (FTC) but only for certain classes of private sector entities collecting, sharing, selling, and using consumer information, mainly broadband providers and so-called “edge Providers,” that is entities like Google and Facebook that provide services online. This bill is much closer to the current FTC means for regulating privacy and data security even though the scope of the agency’s jurisdiction to police privacy practices for some types of consumer information would be expanded.

As noted, this bill would cover only “broadband internet access service[s]” and “edge service[s],” which as these terms are defined in the bill would mostly be technology and communications companies. Therefore, this bill would sweep much more narrowly than many of the other privacy bills introduced thus far. Accordingly, S. 1116 defines “broadband internet access service” as “a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all internet endpoints, including any capabilities that are incidental to and enable the operation of the communications service, but excluding dial-up internet access service.” The bill also provides a definition of “edge service:” “a service provided over the internet—

for which the provider requires the user to subscribe or establish an account in order to use the service;

that the user purchases from the provider of the service without a subscription or account;

by which a program searches for and identifies items in a database that correspond to keywords or characters specified by the user, used especially for finding particular sites on the world wide web; or

by which the user divulges sensitive user information; and

includes a service described in subparagraph (A) that is provided through a software program, including a mobile application.

Clearly, big technology companies like Facebook, Google, Instagram, Amazon, etc. would be classified as “edge providers.” Moreover, the definition of broadband internet access service would clearly include all of the internet service providers like Comcast or AT&T but would also seem to include cell phone service providers like Verizon and T-Mobile.

All covered service providers must “provide a user of the service with clear and conspicuous notice of the privacy policies of the provider with respect to the service.” Additionally, covered service providers must also give users “clear and conspicuous advance notice of any material change to the privacy policies of the provider with respect to the service.”

Whether consumers need to opt-in or opt-out on data use will turn on whether the information is “sensitive” or not. Under S. 1116, “sensitive user information” includes any of the following:

  • Financial information.
  • Health information.
  • Information pertaining to children under the age of 13.
  • Social Security number.
  • Precise geolocation information.
  • Content of communications.
  • Web browsing history, history of usage of a software program (including a mobile application), and the functional equivalents of either.

Among the information that would be deemed non-sensitive under the bill are meta-data (aka call detail records) from usage of a phone such as the addressee of a communication and the time, one’s order history from a site like Amazon, matters relating to employment, and other categories of information not enumerated above. Additionally, the bill deems “precise geolocation information” as sensitive information, suggesting “geolocation information” that is less than precise might be non-sensitive. So, perhaps a trip to a mall would not be considered “precise” but the stores a customer visits might be?

Covered service providers would need to “obtain opt-in approval from a user to use, disclose, or permit access to the sensitive user information of the user.” However, what constitutes the “approval” necessary to satisfy this requirement is not spelled out in the bill. Conversely, the provider of covered services must only offer consumers the option to opt out of the use, disclosure, and accessing of their non-sensitive personal information. Again “approval” is a key word as covered service providers need only obtain a consumer’s approval in order to opt-out.

As is usually the case, there are some exceptions to this seemingly general rule against using, collecting, sharing, or selling sensitive user information. Notably, in the following situations, covered service providers need not obtain opt-in approval from consumers:

(1) In providing the covered service from which the information is derived, or in providing services necessary to, or used in, the provision of the service.

(2) To initiate, render, bill for, and collect for the covered service.

(3) To protect the rights or property of the provider, or to protect users of the covered service and other service providers from fraudulent, abusive, or unlawful use of the service.

(4) To provide location information or non-sensitive user information—

(A) to a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the request of the user for emergency services;

(B) to inform the legal guardian of the user, or members of the immediate family of the user, of the location of the user in an emergency situation that involves the risk of death or serious physical harm; or

(C) to providers of information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency.

(5) As otherwise required or authorized by law.

Covered service providers would not be able to require consumers to waive their privacy rights in exchange for use of a service. The bill stipulates that “[a] provider of a covered service may not—

(1) condition, or effectively condition, provision of the service on agreement by a user to waive privacy rights guaranteed by law or regulation, including this Act; or

(2) terminate the service or otherwise refuse to provide the service as a direct or indirect consequence of the refusal of a user to waive any privacy rights described in paragraph (1).”

The FTC would enforce this new privacy scheme under its existing Section 5 powers to police unfair and deceptive practices and crucially not as if a violation of an existing FTC regulation against unfair and deceptive practices. If the FTC is seeking to punish a violation of such a regulation, it may seek civil fines in the first instance. And, this is in contrast to the FTC’s general powers to punish unfair and deceptive practices with respect to data security and privacy violations, which is limited to monetary remedies in the form of equitable relief such as disgorgement and restitution. The BROWSER Act would be at odds with most other privacy bills that contain language such as “[a] violation of this Act or a regulation promulgated under this Act shall be treated as a violation of a rule under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.”

Again unlike other bills, the BROWSER Act does not provide the FTC with the authority to promulgate regulations under the Administrative Procedures Act (APA) process, and to the extent the agency would be able to write regulations to implement the bill, it would be under the much more lengthy and involved Moss-Magnuson procedures that have effectively halted the FTC’s regulatory activity (seeIt’s  Time  to  Remove  the  “Mossified” Procedures  for  FTC  Rulemaking” for a summary of these procedures.) Therefore, the FTC would essentially extend to privacy regulation its current practice of penalizing companies for not maintaining “reasonable” data security standards on a case-by-case basis and not providing any bright lines to assure companies of the practices.

The FTC’s jurisdiction would be expanded, however, to police the privacy practices under the bill for broadband providers that would otherwise be subject to the jurisdiction and enforcement powers of the Federal Communications Commission (FCC.)

The bill would preempt state privacy laws. To wit, “[n]o State or political subdivision of a State shall, with respect to a provider of a covered service subject to this Act, adopt, maintain, enforce, or impose or continue in effect any law, rule, regulation, duty, requirement, standard, or other provision having the force and effect of law relating to or with respect to the privacy of user information.” Of course, preemption of state laws is a non-starter for many Democrats but a sine non qua for many Republicans, leaving this as an area of ongoing dispute.

Regarding another issue that has split Democrats and Republicans in the past regarding data security legislation, the BROWSER Act would not provide a role for state attorneys general to enforce the new regulatory regime. However, Republicans may be willing to give on this issue provided consumers have no private right of action, and the BROWSER Act would not allow consumers to sue those providing covered services for violating the bill.

© Michael Kans and Michael Kans Blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans and Michael Kans Blog with appropriate and specific direction to the original content.

Published by Michael Kans

An attorney who specializes in technology policy, law, and politics with other areas of expertise.

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s