Key Republican privacy stakeholders have revised and released the third iteration of their data privacy bill. Senate Commerce, Science, and Transportation Committee Ranking Member Roger Wicker (R-MS) and Consumer Protection, Product Safety, and Data Security Subcommittee Ranking Member Marsha Blackburn (R-TN) introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act” (S.2499).
In their press release, Wicker and Blackburn asserted:
Last Congress, Wicker released a staff draft of the United States Consumer Data Privacy Act and introduced the original version of the SAFE DATA Act a year later. The current bill resembles the staff draft framework that was developed through bipartisan negotiations. (see here for my analysis of the CDPA and here for the first SAFE DATA Act.)
Consequently, I will be comparing the revised SAFE DATA Act to the United States Consumer Data Privacy Act discussion draft (CDPA). Generally, the new bill loosens the restrictions and obligations on covered entities in a number of ways, but there are places where there is tightening.
Most critically for making headway with Democrats on a national privacy bill, there is no give on a private right of action or preemption of state privacy and data security laws. As a result, it is likely this revised bill is more about messaging and positioning, especially given the rediscovered emphasis on the need for privacy legislation Republican stakeholders in both chambers has exhibited of late. A few weeks ago, Wicker, Blackburn, House Energy and Commerce Committee Ranking Member Cathy McMorris Rodgers (R-WA), and Consumer Protection and Commerce Subcommittee Ranking Member Gus Bilirakis (R-FL) wrote President Joe Biden urging him “to work with Congress to enact a nationwide consumer data privacy law.”
Moreover, Wicker and Blackburn have dropped the language from the SAFE DATA Act of last year that would have fixed the Federal Trade Commission’s Section 13(b) issues that resulted in a Supreme Court decision striking down its traditional use of these injunctive powers. This may be a tactic to get Democrats to insist on such language to get them to give on other issues. It may also be a sign Wicker and Blackburn want to deal with it separately as the House did in passing the “Consumer Protection and Recovery Act” (H.R.2668) that all House Democrats and two Republicans voted for. It is not clear at this point what this means.
Before I turn to the bill, it also bears mention that Senate Minority Whip John Thune (R-SD) and Senator Deb Fischer (R-NE) are not cosponsoring the new SAFE DATA Act as they did in the last Congress. Perhaps Thune and Fischer are working on privacy bills of their own or with Democrats. It is not clear why they are not sponsoring this bill.
Finally, let us see how the new SAFE DATA Act differs from the CDPA.
The definition for collecting was narrowed. In the CDPA, both unintentional and intentional data collection were considered collection; in the new SAFE DATA Act, by implication, collection could be construed to require intention.
The definition for de-identified data has been changed, too. This term also includes information held by a covered entity that “does not contain any persistent identifier or other information that could readily be used to reidentify the individual to whom, or the device to which, the identifier or information pertains.” Otherwise, this term is identical, and so, the definition has been tightened, which is no small matter in light of how easily de-identified data can be re-identified (see here and here.) And, let us not forget that de-identified data are not covered data under the SAFE DATA Act, meaning the FTC cannot largely regulate the collection and use of de-identified data. Of course, this is meant as a safe harbor designed to encourage companies to hold personal data in a de-identified state as a means of fostering better data protection.
The term “publicly available information” has been expanded, which is not covered data and therefore outside the scope of the bill’s new requirements. The CDPA had provided that “a disclosure to the general public that is made voluntarily by an individual or is required to be made by the individual under Federal, State, or local law” would not be publicly available information. The SAFE DATA Act would make it publicly available information.
Covered entity has been narrowed to exclude those entities not subject to FTC jurisdiction like banks and credit unions, among others, except common carriers and non-profits would still be covered under the SAFE DATA Act. Consequently, the ambit of the SAFE DATA Act is tightened and may no longer be considered a national privacy act, for there will be classes of entities operating per other privacy laws. This may be contrary to claims that the bill establishes a national standard for data privacy. Additionally, this narrower class of entities must also “collect, process, or transfer covered data; and…determine the purposes and means of such collection, processing, or transfer.” It may be possible for one entity to collect and transfer personal data but not determine the purposes and means. This entity may have a colorable argument it is not a covered entity. Likewise, what about an entity that does not collect covered data and uses the data transferred to it by another entity. This entity may also have an argument it is not covered. For simplicity, the SAFE DATA Act would be made stronger by deleting these extra requirements.
However, the argument can be made that the class of entities known as service providers fill these gaps, for they are covered entities that process or transfer covered data on behalf of another covered entity that presumably controls the purposes and means. This definition did not change much, nor did the definition of third party, which are covered entities that are not service providers nor an affiliate or subsidiary of another covered entity.
The definition of “data broker” has been watered down, too. In the CDPA, it was simply “a covered entity that knowingly collects or processes on behalf of, or transfers to, third parties the covered data of an individual with whom the entity does not have a direct relationship.” Under the SAFE DATA Act, such entities must derive their principal revenue from data brokering, meaning entities such as Reuters Thompson or LexisNexis that have data brokering arms that are a minority of their revenue would not be data brokers. The previous bill’s definition was stronger and simpler. Additionally, service providers are excluded from being data brokers.
The SAFE DATA Act expands and narrows who is a “large data holder.” Lowering the threshold for processing and transferring personal data to 5 million people a year expands the universe of covered entities which would be large data holders. On the other hand, the number of people whose sensitive personal data is being processed or transferred to trigger this designation is raised from 100,000 people or devices to 300,000.
The definition for “processing purpose” has been strengthened through making this “a reason for which a covered entity processes covered data.” Previously, this reason needed to be “specific enough for a reasonable individual to understand the material facts of the processing.”
Sensitive personal data would be narrowed slightly. For example, the new bill excludes from this definition those unique, government-issued identifiers that are required to be displayed to the public.” Off the top of my head, this would seem to include taxicab registrations, police badge numbers, and others of the like. “A persistent identifier” is also considered sensitive personal data, another change. This term is defined as
a technologically derived identifier that identifies an individual, or is linked or reasonably linkable to an individual over time and across services and platforms, which may include a customer number held in a cookie, a static Internet Protocol address, a processor or device serial number, or another unique device identifier.
The other notable change to the definition is the FTC would have much freer hand in identifying other categories of sensitive personal data through a notice and comment rulemaking. The CDPA required a determination “that the processing or transfer of covered data in such category in a manner that is inconsistent with the reasonable expectations of an individual would be likely to be highly offensive to a reasonable individual.”
Finally, “precise geolocation” has been widened. Now it would mean “technologically derived information capable of determining the past or present actual physical location of an individual or an individual’s device at a specific point in time to within 1,750 feet.” This is much broader than the previous category of sensitive covered data defined as “[p]recise geolocation information capable of determining with reasonable specificity the past or present actual physical location of an individual or device at a specific point in time.”
Meta-data from communications would still not be considered sensitive covered data and would merely be covered data.
Additionally, definitions for “deceptive data practices” and “inferred data” have been deleted.
The bill’s effective date is moved up from two years to 18 months.
The revised SAFE DATA Act guts the protections in the CDPA for people visa vis loyalty programs. In the first draft of this bill, covered entities could not deny goods or services if people exercised their new rights. Now, covered entities can. In fact, covered entities may deny a good or service if the exercise of a right “precludes the covered entity from providing such product or service to such individual.” Covered entities will surely interpret this as broadly as possible to try to get people to participate in loyalty and rewards programs at the cost of handing over covered data and possibly sensitive personal data. Covered entities can also offer goods and services at different prices depending on how a person exercises her rights. This would be another pain point many covered entities will likely use to try to force people to share personal data. Finally, the rights one can exercise without being denied services or goods has shrunk to just accessing, correcting, and obtaining one’s covered data.
The obligations on covered entities and rights of people are further loosened with respect to timeframe in which requests to exercise rights must be performed. The CDPA mandated action within 45 days; the revised SAFE DATA Act allows up to 90 days. The rights to access and correct remain the same
However, there is a small, possibly consequential change. A couple of the rights now pertain to covered data the covered entity maintains whereas before it covered the data it processed. Might a covered entity make the straight-faced argument covered data collected and then transferred to another entity for processing is not maintained?
The exceptions to the exercise of the above rights have been widened. Now, in addition to a covered entity being allowed to deny such requests if it cannot verify a person, a company can turn down a person’s request to correct if it cannot verify that information is incomplete or incomplete. In the same vein, the reasons why a covered entity may deny a person’s requests have increased. Now, an entity may also turn down a person if compliance would
- result in the release of trade secrets, or other proprietary or confidential data or business practices;
- interfere with law enforcement, judicial proceedings, investigations, or reasonable efforts to guard against, detect, or investigate malicious or unlawful activity, or enforce contracts;
- require disproportionate effort, taking into consideration available technology, or would not be reasonably feasible on technical grounds;
- compromise the privacy, security, or other rights of the covered data of another individual;
- be excessive or abusive to another individual; or
- violate Federal or State law or the rights and freedoms of another individual, including under the Constitution of the United States;
Additionally, covered entities would also now have the option to delete covered data if a person asks to access or correct her personal data so long as it is not sensitive covered data and was used only for “marketing communications.”
The SAFE DATA Act tasks the FTC with a notice and comment rulemaking for “establishing processes by which covered entities may verify requests to exercise rights.”
The SAFE DATA Act would still require consent only for the transfer and processing of sensitive covered data. Opt-in consent is required from the parents of those 13-16 years of age for only the transfer of covered data if the actual age of the teen is known. Basing this responsibility on actual knowledge will open the door to gamesmanship from some covered entities who will be willfully blind on this point.
Interestingly, the right to opt is expanded. The SAFE DATA Act would provide this right to people before the collection, processing, and transfer of covered data whereas the CDPA only allowed opting out for processing and transfers. The FTC could draft rules “to establish clear and conspicuous procedures for allowing individuals to provide or withdraw affirmative express consent for the collection of sensitive covered data.”
Service providers will now be able to transfer covered data to third parties without a person’s consent, a right one would have had under the CDPA. This provision is changed in the SAFE DATA Act to barring service providers from transferring “service provider data to a third party for any purpose other than a purpose performed on behalf of, or at the direction of, the covered entity that transferred the data to the service provider.”
The exceptions on collecting, processing, and transferring covered data in Section 108 have been expanded in some cases. Notably what was “[t]o perform internal system maintenance and network management” has now become
To perform internal system maintenance, diagnostics, product or service management, inventory management, and network management.
This strikes me as a malleable exception covered entities may use with impunity to circumvent the consent requirements in the SAFE DATA Act.
The new bill widens the exception related to the safety of people. In the CDPA it was: “[t]o prevent an individual from suffering serious harm where the covered entity believes in good faith that the individual is at risk of death or serious physical injury.” In the SAFE DATA Act, it is now:
To address risks to the safety of an individual or group of individuals, or to ensure customer safety, including by authenticating individuals in order to provide access to large venues open to the public.
An exception has been added: “[t]o transfer covered data to a service provider.”
A limitation on the processing and transferring of biometric data has been removed. In the CDPA, there were limits on both practices with regard to biometric data:
- to detect or respond to a security incident, provide a secure environment, or maintain the safety of a product or service.
- to protect against malicious, deceptive, fraudulent, or illegal activity.
The small business exception was changed. Now, an entity can earn up to $50 million in gross revenues, process the covered data of 1 million people or fewer, have fewer than 500 employees, or derive less than 50% of its revenue from transferring covered data.
There is new language making clear that covered entities, service providers, and third parties “may not collect, process, or transfer covered data in violation of Federal civil rights laws.” This seems like superfluous language, for presumably any conduct that violates civil rights laws is already illegal and does not need to be restated in new laws on matters not contemplated when those laws were enacted. However, this language carefully excludes state civil rights law, some of which are broader than federal laws.
The CDPA’s section on digital content forgery was removed.
Under the SAFE DATA Act’s required data security policies and practices for covered entities, they would need to design these to “detect, respond to, and recover from cybersecurity incidents related to covered data.” This is a change from the CDPA’s requirement that such practices and policies be designed to “delete sensitive covered data after it is no longer needed for the purpose for which it was collected unless such retention is necessary to comply with a law.”
Turning to the bill’s corporate compliance requirements, there is a clarification that data privacy officers shall only be concerned with the bill’s privacy provisions and the same is true of data security officers.
The SAFE DATA Act limits the federal agencies a whistleblower may contact with information about noncompliance and violations to only the FTC.
Speaking of the FTC, the SAFE DATA Act seems to ties the agency’s hands in the use of its Section 5 powers to punish unfair and deceptive practices. Revised language provides that:
The Commission shall not bring any action to enforce the prohibition in section 5 of the Federal Trade Commission Act (15 U.S.C. 45) on unfair or deceptive acts or practices with respect to the privacy or security of covered data, unless such alleged act of practice violates this Act.
The SAFE DATA Act specifies that it authorizes $100 million for the FTC to enforce the new scheme whereas the CDPA left the actual figure blank.
The SAFE DATA Act removes the FTC’s discretion as to whether it will approve voluntary consensus standards or certification programs. Now the FTC must also establish a process for reviewing requests for approval through a rulemaking.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.
Photo by Andrew Gloor on Unsplash
Image by Gerd Altmann from Pixabay