Last
week, we dived into Senator Catherine Cortez Masto’s (D-NV) “Digital Accountability
and Transparency to Advance Privacy Act” (DATA Privacy Act) (S. 583). Of course, Cortez Masto served as the attorney general of
Nevada for eight years prior to succeeding former Senator Harry Reid (D-NV),
and this bill demonstrates her background as her state’s top prosecutor. This
week, we will analyze the most stringent, most pro-consumer bill on privacy
that I have seen introduced in this or the last Congress.
In
November, Senate Finance Committee Ranking Member Ron Wyden (D-OR) released the
“Consumer Data Protection Act” discussion draft, section-by-section, and one-pager, legislation not to be confused with
Senator Bob Menendez’s (D-NJ) “Consumer Data Protection Act” (S. 2188), a data security and breach notification bill. In short,
Wyden’s bill would vastly expand the power of the Federal Trade Commission
(FTC) to police both the security and privacy practices off many U.S. and
international multinational companies. The FTC would receive the authority to
levy fines in the first instance, potentially as high as the European Union’s
General Data Protection Regulation of 4% of annual gross revenue. Moreover, the
operative definition of the “personal information” that must be protected or
subject to the privacy wishes of a consumer is very broad. The bill would also
sweep into the FTC’s jurisdiction artificial intelligence (AI) and algorithms
(i.e. so-called big data).
The
“Consumer Data Protection Act” would dramatically expand the types of harms the
FTC could use its authority to punish to explicitly include privacy violations
and noneconomic injuries. Currently, the FTC must use its Section 5 powers to
punish unfair and deceptive practices, or another statutory basis such as
COPPA, to target the privacy practices it considers unacceptable. Wyden’s bill
would allow the FTC to enforce the FTC Act, as amended by his bill, to punish “noneconomic
impacts and those creating a significant risk of unjustified exposure of
personal information” as among those “substantial injur[ies]” made illegal. It
is worth seeing the proposed language in the context of the section of the FTC’s
organic statute (i.e. 15 U.S.C. 45(n)):
(n) Standard of proof; public policy
considerations
The Commission shall have no authority…to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury including those involving noneconomic impacts and those creating a significant risk of unjustified exposure of personal information to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition (emphasis added to differentiate the language the bill would add.)
The FTC’s new authority
would likely be defined in court actions to test the outer limits of what
constitutes “noneconomic impacts” and the types of substantial injuries that
create a significant risk of unjustified exposure of personal information. If
this language were enacted, undoubtedly industry groups and conservative
advocacy organizations would zealously search for test cases to try to
circumscribe this authority as narrowly as possible. Finally, it bears note
that this sort of language harkens back to the FTC’s construction of its
statutory powers in the 1960’s and 1970’s that was considered so expansive that
a Democratic Congress reined in the agency and limited its purview.
The
FTC’s authority to levy civil fines through an administrative proceeding would
be dramatically expanded along the lines of the EU’s power to levy massive
fines under the General Data Protection Regulation. Notably, without securing a
court order, the agency could impose civil fines as part of a cease and desist
order which shall be the higher of $50,000 per violation or 4% of the annual
gross revenue of the offender in the previous fiscal year. The upper limits of
such a fine structure get very high, very quickly. For example, a violation
with 100,000 people affected yields an upper boundary of $5 billion assuming
one violation per person. The privacy violations associated with Facebook’s
conduct with Cambridge Analytica affected 87 million worldwide, and again
assuming one violation per person, the upper boundary of the fine the FTC could
levy would be $4,350,000,000,000. However, the FTC would likely not exercise
this power to the utmost possible fine but rather dial back the fine to a more
reasonable but still punitive amount. Nonetheless, the FTC would have the
ability to recover up to $50,000 per violation or 4% of gross annual revenue
for any violations of cease and desist orders by filing an action in federal
court.
Despite
expanding the FTC’s powers dramatically, those entities subject to the agency’s
new enforcement powers would not include many medium and small businesses.
Covered entities are described as those entities with more “than $50,000,000 in
average annual gross receipts for the 3-taxable-year period preceding the
fiscal year” and the “personal information” of more than 1,000,000 consumers,
and 1,000,000 consumer devices. Additionally, a covered entity may be an
affiliate or subsidiary of an entity that meets the aforementioned
qualifications. Finally, the term “covered entity” covers all data brokers or
commercial entities “that, as a substantial part of their business, collects,
assembles, or maintains personal information concerning an individual who is
not a customer or an employee of that entity in order to sell or trade the
information or provide third- party access to the information.”
Additionally,
a subset of these covered entities with more than $1 billion in annual revenues
that “stores, shares, or uses personal information on more than 1,000,000
consumers or consumer devices” or those “that stores, shares, or uses personal
information on more than 50,000,000 consumers or consumer devices” must submit
annual data protection reports to the FTC. Those entities must report “in detail
whether, during the reporting period, the covered entity complied with the
regulations” the FTC will promulgate to effectuate the “Consumer Data
Protection Act” and the extent to which they did not comply by detailing which
regulations were violated and the number of consumers affected.
Each report must “be accompanied by a written statement by the chief executive officer, chief privacy officer (or equivalent thereof), and chief information security officer (or equivalent thereof) of the company” that certifies the report fully complies with the requirements of the new statute. If any such person certifies an annual data protection report while knowing it does not meet the requirements of this section or with intentional knowledge it does not faces jail time and/or a personal fine based on income depending on which state of knowledge the actor had in falsely certifying a report. Any CEO, chief privacy officer, or chief information security officer that knowingly certifies a false report faces a fine of the greater of $1 million or 5% of the highest annual compensation for the previous three years and up to ten years in prison. Intentional violations expose these corporate officials to the greater of a $5 million fine or 25% of the highest annual compensation for the previous three years and 20 years in prison.
Of
course, falsely certifying knowing that a report fails to meet all the
requirement exposes a person to less criminal liability than intentionally
certifying. However, the substantive difference between knowing certification
and intentional certification is not immediately clear. Perhaps the bill
intends knowing to be constructive knowledge (i.e. known or should have known)
while intentionality in this context means actual knowledge.
With
respect to the information covered entities would need to safeguard, the bill defines
“personal information,” which is “any information, regardless of how the
information is collected, inferred, or obtained that is reasonably linkable to
a specific consumer or consumer device,” which is a very broad definition. Wyden’s
bill also defines “use,” “share,” and “store” in the context of personal
information:
- “share’’—
- means
the actions of a person, partnership, or corporation transferring information to
another person, partnership, or corporation; and
- includes
actions to knowingly—
- share,
exchange, transfer, sell, lease, rent, provide, disclose, or otherwise permit
access to information; or
- enable
or facilitate the collection of personal information by a third party.
- ‘‘store’’—
- means
the actions of a person, partnership, or corporation to retain information; and
- includes
actions to store, collect, assemble, possess, control, or maintain information.
- ‘‘use’’ means the actions of a person,
partnership, or corporation in using information, including actions to use,
process, or access information.
The
FTC would be required to promulgate detailed regulations discussed in more
detail below within two years of enactment. This timeline may be more realistic
than many of the other bills which task the agency with detailed, extensive
rulemakings within a year, a deadline the FTC may have trouble meeting.
Nonetheless, the agency could take the first year or even 15 months to draft
proposed regulations for comment.
The
bill would task the FTC with establishing and running a ‘‘Do Not Track’’ data
sharing opt-out website that would stop covered entities from sharing a
consumer’s personal information subject to certain exceptions including the use
of personal information acquired before a consumer opts out. These would be in
the case when a covered entity needs to share the information to achieve the
primary purpose under which the information was initially acquired.
Additionally, this bar would be in effect for personal information a covered
entity acquires from non-covered entities.
The
FTC would also need to determine technological means that a consumer’s opt-out
on its website can be effectuated through web browsers or operating systems.
The agency would also need to devise a method by which covered entities could
determine which consumers have opted out, possibly through the development of
an FTC Application Programming Interface (API). Thereafter, covered entities
would have a duty to check at regular intervals the FTC’s opt-out database to
ensure they are honoring the consumers’ decisions to opt out. Covered entities
would not need to respect a consumer’s desire to opt-out in the event of required
legal disclosures they need to make to the government such as under warrants or
subpoenas. The FTC would also need to “establish standards and procedures,
including through an API, for a covered entity to request and obtain consent
from a consumer who has opted-out…for the covered entity to not be bound by the
opt-out,” including providing a list of third parties with whom personal
information might be shared and a description of such information. And, if the
covered entity requires consumers to consent to usage of their personal
information before its products or services can be used, then the covered
entity must “notify the consumer that he or she can obtain a substantially
similar product or service in exchange for monetary payment or other
compensation rather than by permitting the covered entity to share the consumer’s
personal information.”
The
FTC must also “establish standards and procedures requiring that when a
non-covered entity that is not the consumer shares personal information about
that consumer with a covered-entity, the covered entity shall make reasonable
efforts to verify the opt-out status of the consumer whose personal information
has been shared with the covered entity.” Thereafter covered entities may only
use or store this personal information if a consumer has not opted out on the
FTC’s website or if the covered entity has received the consumer’s consent for
non-covered entities to collect and share their information.
Additionally, the FTC must draft regulations detailing the “standards and procedures” covered entities and non-covered entities must follow “to request and obtain consent from a consumer…that clearly identifies the covered entity that will be storing or using the personal information and provides the consumer” at the time consent is sought. Consumers must be informed “in a form that is understandable to a reasonable consumer” detailing the entity from whom personal information is to be obtained, the type of personal information to be collected, and the purposes for which such information shall be used.
Certain acts would be prohibited. Covered entities could not require consumers to change their opt-out election on the FTC’s website in order to access products and services “unless the consumer is also given an option to pay a fee to use a substantially similar service that is not conditioned upon a requirement that the consumer give the covered entity consent to not be bound by the consumer’s opt-out status.” Moreover, this fee “shall not be greater than the amount of monetary gain the covered entity would have earned had the average consumer not opted-out.”
Wyden’s
bill also marries data security requirements with privacy protections for
consumers, a position articulated by a number of prominent Democrats. Notably,
the FTC would need to promulgate regulations that
- require each covered entity to establish
and implement reasonable cyber security and privacy policies, practices, and
procedures to protect personal information used, stored, or shared by the
covered entity from improper access, disclosure, exposure, or use;
- require each covered entity to implement
reasonable physical, technical, and organizational measures to ensure that
technologies or products used, produced, sold, offered, or leased by the
covered entity that the covered entity knows or has reason to believe store,
process, or otherwise interact with personal information are built and function
consistently with reasonable data protection practices;
The
FTC would also need to draft regulations requiring “each covered entity to
provide, at no cost, not later than 30 business days after receiving a written
request from a verified consumer about whom the covered entity stores personal
information” a way to review any personal information stored, including how and
when such information was acquired and a process for challenging the accuracy
of any stored information. Additionally, these regulations would “require each
covered entity to correct the stored personal information of the verified
consumer if, after investigating a challenge by a verified consumer…the covered
entity determines that the personal information is inaccurate.” Covered
entities would also need to furnish a list of the entities with whom the
consumer’s personal information was shared and other detailed information,
including the personal information of the consumer the covered entity acquired
not from the consumer but a third party.
The “Consumer Data Protection Act” would also institute regulations and requirements related to the increasing use of so-called “big data,” algorithms, machine learning, and artificial learning. The FTC would need to promulgate regulations mandating that each covered entity must “conduct automated decision system impact assessments of existing high-risk automated decision systems, as frequently as the Commission determines is necessary; and…new high-risk automated decision systems, prior to implementation.” However, it would be helpful to examine the bill’s definitions of ‘‘automated decision system,’’ “automated decision system impact assessment,’’ ‘‘high-risk automated decision system’’ and “high-risk information system:”
- ‘‘automated
decision system’’ means “a computational process, including one derived from
machine learning, statistics, or other data processing or artificial
intelligence techniques, that makes a decision or facilitates human decision
making, that impacts consumers.
- “automated
decision system impact assessment’’ means a study evaluating an automated
decision system and the automated decision system’s development process,
including the design and training data of the automated decision system, for
impacts on accuracy, fairness, bias, discrimination, privacy, and security
- ‘‘high-risk
automated decision system’’ means an automated decision system that—
- taking
into account the novelty of the technology used and the nature, scope, context,
and purpose of the automated decision system, poses a significant risk—
- to
the privacy or security of personal information of consumers; or
- of
resulting in or contributing to inaccurate, unfair, biased, or discriminatory
decisions impacting consumers;
- makes
decisions, or facilitates human decision making, based on systematic and
extensive evaluations of consumers, including attempts to analyze or predict
sensitive aspects of their lives, such as their work performance, economic
situation, health, personal preferences, interests, behavior, location, or
movements, that—
- alter
legal rights of consumers; or
- otherwise
significantly impact consumers;
- involves
the personal information of a significant number of consumers regarding race,
color, national origin, political opinions, religion, trade union membership,
genetic data, biometric data, health, gender, gender identity, sexuality,
sexual orientation, criminal convictions, or arrests;
- systematically
monitors a large, publicly accessible physical place; or
- meets
any other criteria established by the Commission in regulations…
- ‘high-risk
information system’’ means an information system that—
- taking
into account the novelty of the technology used and the nature, scope, context,
and purpose of the information system, poses a significant risk to the privacy
or security of personal information of consumers;
- involves
the personal information of a significant number of consumers regarding race,
color, national origin, political opinions, religion, trade union membership,
genetic data, biometric data, health, gender, gender identity, sexuality,
sexual orientation, criminal convictions, or arrests;
- systematically
monitors a large, publicly accessible physical place; or
- meets
any other criteria established by the Commission in regulations…
Consequently,
algorithmic decision-making would be swept into the FTC’s new regime to govern
privacy and data security. However, politically, this is not close to being on
most Members’ consciousness as being related to privacy and data security. This
reality marks the “Consumer Data Protection Act” as among the most forward
looking of the bills that have been introduced over the last year. And, yet it
is likely that any privacy or data security bill Congress passes will not
include such provisions; however, a state like California could decide to wade
into this area, which, again like with privacy, this could force policymakers
in Washington to consider an issue percolating up to the federal level from one
of the state laboratories of democracy.
In
terms of enforcement, the bill explicitly bars the use of any contracts
contrary to the rights and requirements in the “Consumer Data Protection Act.”
Like virtually all the other bills on privacy, the FTC would be able to ask a
federal court for civil fines for a first offense as high as a bit more than
$40,000 per violation in addition to all the FTC’s other powers.
This
bill is likely the outer bounds desired by the most ardent privacy and civil
liberties advocate, and therefore is highly unlikely to get enacted in its
current form. Other Democratic bills are far more modest in scope, and few of
them address both security and privacy. The chances of enactment are very low,
but Congressional interest in privacy legislation will continue because of the
GDPR and the California Consumer Privacy Act.