A centrist Democratic privacy bill is back; chances of enactment are low.
Representative Suzan DelBene (D-WA) has revised her data privacy bill and beat all the other sponsors of such legislation from the last Congress. Even though industry stakeholders lauded the bill, it is not likely to advance in this Congress. Nonetheless, it may be a good indication of what industry stakeholders and centrist Democrats would like in federal privacy and data protection legislation.
DelBene has revised an already industry friendly bill and loosened it even further. This bill likely will not pass muster with fellow Democrats, for it still does not have a private right of action and it would still preempt state privacy laws. It is still based on the notice and consent model but the loopholes that allow for the collection and usage of personal information without consent seem to have been widened. And while the Federal Trade Commission (FTC) would seemingly be lined up with a doubling of its funding, this is not a certainty if the bill is enacted.
Last month, DelBene introduced the first major privacy bill of the 117th Congress that shares a name with the bill she and cosponsors had introduced in 2019: the “Information Transparency and Personal Data Control Act,” (H.R.1816) “legislation that would create a national data privacy standard to protect our most personal information and bring our laws into the 21st Century” according to an assertion in her press release (see here for more detail and analysis.)
Despite sharing the same name and having many of the same features, DelBene’s bill has been changed significantly, mostly in ways industry stakeholders will find desirable and privacy and civil liberties advocates will likely find unfortunate. Additionally, there seem to be some provisions that Democrats more liberal than DelBene may find unpalatable, and so this bill, as written, seems not to thread the political needles necessary for passage of a federal privacy bill.
The Sense of Congress section that apparently functions as something akin to a Findings section has been altered. First, the aim of the bill is modified from establishing global standards in the creation of a U.S. digital privacy framework to complementing global standards. This may be a nod to the fact the General Data Protection Regulation is the closest to a global standard, and moreover may be a concession that even if DelBene’s bill is enacted as is, the GDPR would remain the world’s standard on data protection. Second, in a signal that runs throughout the bill, another “Sense of Congress” is expanded with respect to the types of activities the new federal privacy framework would encompass. In the last version, “federal guidance” was needed merely for the “collection and storage of sensitive data.” In the new version, “federal guidance” is required for the “collection, processing, disclosure, transmission and storage of sensitive data.” This change is present in numerous places throughout the bill, explicitly expanding its scope. Third, there is an entirely new subsection that serves as a succinct summary of the bill:
(6) individuals have a right to—
(A) exercise control over the personal data companies collect from them and how they use it;
(B) easily understandable and accessible information about privacy and security practices;
(C) expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data;
(D) secure and responsible handling of sensitive personal information;
(E) access and correct persona data in usable formats, in a manner that is appropriate to sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate; and
(F) reasonable limits on the personal data that companies collect and retain.
This serves less as a statement of changes in the revised version of the “Information Transparency and Personal Data Control Act” and more as a nice sketch of what the bill would do. Of course, this bill relies heavily on the notice and consent model, using the opt-in approach at times and the opt-out approach at times. And, like other bills, there is data collection and processing that residents of the U.S. would not be able to avoid. For example, the bill focuses on notice and consent about “sensitive personal information” but not “personal information,” which can fairly be read to include all those data outside the definition of “sensitive personal data.” Moreover, there are four classes of data specifically identified as being outside this definition, one being “publicly available information,” which may be reasonably understood to mean everything one posts online from an account not set to private. And so, one’s every utterance on Twitter, Facebook, Instagram, etc. could be collected, processed, and used without consent. But, the universe of data outside “sensitive personal data” is vast, for it apparently includes one’s name, address, place of employment, employment history, credit history, and any location data that is not precise geolocation data. On this last point, there is no definition of “precise geolocation information,” and so it is not clear what location data does not qualify as such and may be collected and used as any entity sees fit. Is it 1000 feet? Half a mile? A Mile? The bill isn’t clear.
Turning back to the bill, the Federal Trade Commission (FTC) will still need to conduct a notice and comment rulemaking (i.e., the normal process by which regulations are drafted that the FTC is usually barred from using) to govern data collection and usage. However, the scope and extent of the rulemaking has been both expanded and narrowed in places, and the timeline changed from 12 months after enactment to 18 months after enactment. In terms of the first notable scope change, the rulemaking is expanded from just controllers to including processors and third parties. Given the fungibility of personal data, this would encompass more of the data ecosystem. In a similar vein, “transmission” of “sensitive personal data” is added to the activities the rulemaking must cover. In a place where a narrowing of the scope has likely occurred, the first bill would have directed the FTC to conduct a rulemaking on the collection and usage of “sensitive personal information” “from United States persons or persons located in the United States when the data is collected.” This condition is changed to “when the sensitive personal information is collected, transmitted, stored, processed, sold or shared.” This alteration both expands and narrows the rulemaking. The expansion is to obviously cover more of the activities of controllers, processors, and third parties. And yet, the narrowing is because it is no longer “data” but instead “sensitive personal data,” with the latter being a subset of the former.
The contours of the FTC’s rulemaking are changed. Reflecting the expanded group of personal data activities the FTC is charged with bringing into the rulemaking, the notice controllers must give people is expanded. And hence, people must be informed through a controller’s privacy and data use policy of the controller’s proposed collection, transmission, selling, sharing, or disclosing of a person’s sensitive personal information. Additionally, they must affirmatively consent (aka opt-in) to “any functionality” involved with the aforementioned activities, and the term functionality is not defined in the bill, leaving this job possibly to the FTC. It would seem to be most controllers will want it read as narrowly as possible so their disclosure obligations are lesser.
In any event, the new version expands this portion of the FTC’s rulemaking remit to mandate that the controller’s documented instructions to processors and third parties must adhere to the notice provided to people. But, another new provision immunizes controllers from processors and third parties violating the opt-in consent model, which would seem to remove a powerful incentive for controllers to monitor and oversee their processors and third parties’ activities regarding data collection, usage, and processing. Incidentally, there is a drafting error in the bill text DelBene’s in that a subsection (C) was obviously deleted without the subsections being adjusted. One wonders what was removed.
The new “Information Transparency and Personal Data Control Act” clarifies the provisions spelling out the requirements for privacy and data use policies. First, it makes explicit what may have been implicit in that the FTC will draft and issue guidelines on the “general requirements” of each controller, processor, and third party’s “up-to-date, transparent privacy, security, and data use policy.” However, are these guidelines in the same way the National Institute of Standards and Technology’s (NIST) guidelines are respected but not binding? Or guidelines in the sense of regulations controller, processor, and third parties need to heed. This is not clear.
Another feature of the privacy and data use policies got loosened in the revision process. In the first bill, these policies would disclose the third parties “with whom the sensitive personal information will be shared and for what purposes.” The new bill requires disclosure of categories of third parties. Two other provisions were eliminated that would also have provided people with more information into how their sensitive personal information is being used. First, controllers, processors, and third parties would no longer have to disclose how long such data would be stored. Second, these entities will no longer need to say “[w]hether the sensitive personal information will be used to create profiles about users and whether they will be integrated across platforms.”
As noted above, mere personal information is subject to an opt-out regime, and DelBene’s revisions may remove incentives for processors and third parties to honor one’s wishes to opt out. In the previous bill, one could opt out of the range of data activities, including sharing with third parties. In the new bill, one may still opt out at any time, but even though controllers must pass along a person’s desire to opt out, the controller cannot be held liable for the processor or third party’s failure to heed the opt out. Again, as with the controller being legally protected from a processor or third party’s violations of the opt-in regime for sensitive personal data, the violations of the latter two entities cannot be imputed to the former. So long as the controller communicates the opt out request, it is in the clear. Again, the incentive structure would seem to allow for violations of a person’s wishes to opt out of the use and sharing of her personal data.
This section contains new language governing the contracts that controllers must have with their processors that limits processing to the instructions of the controller. Moreover, no contract can negate the provisions of the bill, so there is not the possibility of a controller circumventing the new law through an otherwise binding legal instrument.
The period of privacy audits is lengthened from annually to every two years but expanded to include processors and third parties. The small business exemption to the audit requirement is dramatically expanded from those entities engaged in the collection, usage, and disclosure of the sensitive personal information of less than 5,000 people a year to less than 250,000 a year.
DelBene’s revised bill contains a curious section tasking the FTC with regulations to block auditors from selling information “under the guise of a potential violation by the controller products or services when there is not a violation of the Act.” This is novel language in Congressional privacy and data protection bills aiming at a problem I’m having trouble seeing. It could be that some entity in the auditing world clued DelBene’s office onto a problem in their world with auditors using the personal data of entities they are auditing. Or is it a nefarious addition someone with an interest in the auditing business persuaded DelBene’s staff was a problem in need of a remedy that is actually a play to eliminate or hamstring competition. Or perhaps this is aimed at the consulting firms one would see as naturals to enter the auditing field who themselves are players in the data brokering world. Hard to say as the language borders on the cryptic.
The new “Information Transparency and Personal Data Control Act” expands the exceptions to consent one finds in all the privacy and data protection bills. The revised bill adds non-sensitive personal information to all the exceptions whereas it was only sensitive personal information that had been covered in the first bill. Another expansion of the times when a person’s consent is not needed for data collection, usage, and disclosure is the crimes a controller, processor, and third party are looking to prevent. In the first bill, it was just fraud, identity theft, and criminal activity. Now it is broadened to include unauthorized transactions, theft, shoplifting, financial crimes, and money laundering. This strikes me as overkill as any of the added crimes would presumably be covered by “criminal activity.” Other exemptions were added: activities authorized under the Fair Credit Reporting Act, completing a transaction after personal information has been collected that is part of an ongoing relationship between the controller and person; complying with federal, state, or local law; or conducting product recalls or servicing warranties.
Then the revised bill dramatically fleshes out the instances where a controller need not obtain opt-in consent from person to collect, process, sell, share, or disclose his sensitive personal information so long as these practices do “not deviate from purposes consistent with a controller’s relationship with users as understood by the reasonable use.” Of course, if notice and consent is the model for DelBene’s bill, why not disclose these practices to the person and allow him or her to decide whether they want to engage with the controller. The answer to this question is probably something along the lines that the reasonable person would understand these activities are simply part and parcel of modern life, and so forcing controllers to disclose them would lengthy notices and are anyway unnecessary. I would suggest true notice would necessarily require disclosure of all purposes. Nonetheless, the bill makes clear these, and possibly other, activities, are outside the opt-in consent requirement:
(A) carrying out the term of a contract or service agreement, including elements of a customer loyalty program, with a user;
(B) accepting and processing a payment from a user;
(C) completing a transaction with a user such as through delivering a good or service even if such delivery is made by a processor or third party;
(D) marking goods or services to a user as long as the user is provided with the ability to opt out of such marketing;
(E) taking steps to continue or extend an existing business relationship with a user, or inviting a new user to participate in a customer promotion, benefit or loyalty program, as long as the user is provided with the ability to opt out;
(F) conduct internal research to improve, repair, or develop products, services, or technology; or
(G) municipal governments.
The new “Information Transparency and Personal Data Control Act” clarifies the FTC’s authority over common carriers by explicitly stating only the FTC will have the authority to police their privacy practices. Without such language, the Federal Communications Commission (FCC) would possibly have had jurisdiction over them, but it also limits the FCC’s ability to regulate common carriers (i.e., telecommunications companies and broadband providers) more stringently.
DelBene’s bill incorporates a new wrinkle in most federal privacy and data protection legislation: an ability for violators to cure violations. The FTC would need to alert entities if they have non-willfully violated the act and give them 30 days to fix the violation. So this would cover negligent violations and perhaps reckless violations but not willful violations where a party knew he or she was breaking the law and proceeded anyway. Knowledge is often a difficult element to prove in enforcement actions, and so this fact may persuade the FTC to treat some arguably willful violations as if they are non-willful in the hopes the violator will correct the wrongdoing. Despite the massive increase in FTC resources, this limit would seem to hamstring the agency’s enforcement of the act. Moreover, state attorneys general looking to use the new privacy law would also have to give offenders 30 days to comply.
As noted, in one sense, DelBene’s revised bill significantly increases the FTC’s resources, but the appropriations committees would have to follow through and actually provide these funds in legislation. Technically the bill increases the authorization of appropriations for the FTC, reflecting an historic method of dividing the ability to set an agency’s appropriations from the purse strings to actually give agencies money. Anymore, authorization levels play little role in what gets appropriated, so the doubling the FTC would see in its authorization level may be seen as mere window dressing. Likewise, the directive for the FTC to hire 500 new employees to enforce privacy is also at the mercy of the appropriators. And so, one should view any claims of increasing the FTC’s funding with a grain of salt unless it is in an actual appropriations bill, a process over which Senate Republicans hold influence, and they are likely not on board for a dramatic enlarging of the FTC.
Turning to the definitions section, the revised bill adds one for collection (“buying, renting, gathering, obtaining, receiving, or accessing any sensitive data of an individual by any means” and one for de-identified data. Likewise, there is a new definition for employee data. However, the definition of processor is dramatically expanded to reflect some of the changes in the revised bill, notably language clarifying that a processor becomes a controller when it processes data on its own behalf. The definition for sensitive personal information is expanded to include gender identity, intersex status; citizenship or immigration status; and mental or physical health diagnosis. But it is also narrowed to exclude
personal information reflecting a written or verbal communication or a transaction between a controller and the user, where the user is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency and whose communications or transaction with the controller occur solely within the context of the controller conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency;
The revised “Information Transparency and Personal Data Control Act” expands the existing federal statutes exempted from its requirements to include Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996, the Family Educational Rights and Privacy Act of 1974, and the Fair Credit Reporting Act. Consequently, those financial services, healthcare, educational, and credit reporting agencies regulated under those federal statutes would be exempted from this new regime.
The revised bill cuts the language tailoring the preemption of state privacy laws to not preempt the following:
State constitutional, trespass, contract, data breach notification, or tort law, other than to the degree such law is substantially intended to govern the collection of sensitive personal information and the collection, storage, processing, sale, sharing with third parties, or other use of such information.
Now, it appears upon enactment of this revised bill, one could no longer sue for privacy violations on any of those grounds.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.