This week, we will look at a pair of bills referenced by Senate Banking, Housing, and Urban Affairs Committee Chair Mike Crapo (R-ID) at a recent hearing on data ownership that take a different approach to privacy. In short, these bills would approach the issues presented by mass collection and use of consumer data by granting ownership rights.
Senator John Kennedy (R-LA) introduced the “Own Your Own Data Act” (S. 806), and Senators Mark Warner (D-VA) and Josh Hawley (R-MO) introduced the “Designing Accounting Safeguards To Help Broaden Oversight and Regulations on Data” (S. 1951).
The “Own Your Own Data Act” provides that “[e]ach individual owns and has an exclusive property right in the data that an individual generates on the internet under section 5 of the Federal Trade Commission Act.” This provision of a new right raises many more questions than it answers. Presumably, the required rulemaking the Federal Trade Commission (FTC) must undertake to effectuate this language will fill some gaps and define the terms that this brief three-page bill does not.
Additionally, every “social media company,” a term not defined by the bill, must
- have a prominently and conspicuously displayed icon each user may click to obtain a copy of the user’s data with any analysis of the user’s data performed by the social media company;
- have a prominently and conspicuously displayed icon each user may click to easily export the user’s data with any analysis of the user’s data performed by the social media company.
These provisions would seem to lend themselves to greater transparency in how one’s personal data is being used and portability should someone want to use a different platform.
The key provision of the bill, however, is that every user of a social media company’s offerings must “knowingly and willfully enter into a licensing agreement” during the registration of the account. For future users this legislation would grant them the ability to license the exclusive property that is their data, but what of existing accounts such as the millions of Facebook, Twitter, and Google accounts in the U.S.? Would this be only prospective as legislation typically is? And, if so, then current users of Twitter, and Facebook may not be able to license their accounts as the companies might not need to offer them the opportunity. As a practical matter, these companies might offer current users the opportunity, but within the four corners of the bill, they would be under no obligation to do so.
The FTC would be able to enforce this act. However, it is not altogether clear how the FTC would enforce this act. Would the misuse or stealing of a person’s personal data be considered a violation of the Section 5 prohibition on unfair and deceptive practices? Will the FTC’s required rulemaking deem a violation of one’s exclusive property right in their personal data a violation of the Section 5 bar against deceptive and unfair practices? Or is the FTC to wade into enforcing personal licenses and punishing violations? Would the agency husband its resources and wait until it has a sizeable number of complaints about social media company X before it investigates? This may be a likely outcome given that a number of critics of the FTC already claim the agency is stretched too thin and brings too few enforcement actions for data security and privacy violations.
Regarding the rulemaking, the FTC “promulgate regulations carrying out this [bill], which shall be approved by Congress.” Presumably the agency must use the more cumbersome Moss-Magnuson procedures for rulemaking instead of the Administrative Procedure Act (APA) notice and comment process? However, the bill does not speak directly this point, and so it is likely the FTC would be stuck using the Moss-Magnuson process which has effectively choked off the agency’s rulemaking capability.
How exactly will Congress must approve these regulations? Will it be like reprogramming requests that usually require the assent of the Appropriations Committees often through a formal process? Or will the informal sign off from the committees of jurisdiction over the FTC suffice? Or must Congress pass a resolution of approval or disapproval as it may under a number of statutes designed to police executive branch actions? The bill leaves this question unanswered.
A different privacy bill we examined, the “American Data Dissemination (ADD) Act” (S. 142) also requires the FTC to submit regulations to Congress. In the case of that bill, the agency needs to send “detailed recommendations [to the House Energy and Commerce Committee and the Senate Commerce, Science, and Transportation Committee] for privacy requirements that Congress could impose on covered providers that would be substantially similar, to the extent practicable, to the requirements applicable to agencies under the Privacy Act of 1974.” 12-15 months after the FTC submits this report, it would be required to submit to the same committees proposed regulations that would similarly make covered entities subject to requirements along the lines of how the Privacy Act of 1974 applies to federal agencies.
However, despite creating a property right, there is no right of action provided by the bill. Consumers would not be able to sue if their licensing of their “exclusive property right in the data” they generate is violated. Normally, for most property rights, consumers may go to court if they think their rights to this property have been impinged. This bill would not grant such a right to consumers, and I do not know of any other federal grounds under which consumers would be able to sue. Or would a person’s data be similar to trademarked or copyrighted information? Among the many questions raised under this scheme, would consumers be able to use existing state property statutes to sue in state courts? Could a state like California enact a right to sue for a violation of this newly created federal right?
This week’s other bill, the “Designing Accounting Safeguards To Help Broaden Oversight and Regulations on Data” (S. 1951), would force a select class of online entities to disclose how much they earn from users’ data and also provide consumers the right to delete their data subject to some exceptions. The entities would need to file additional disclosures with the Securities and Exchange Commission (SEC) to bring greater transparency to consumers, shareholders, and investors regarding the value of the data that companies collect and then share.
The bill defines which companies or entities would be “commercial data operators” those “acting in its capacity as a consumer online services provider or data broker that—
- generates a material amount of revenue from the use, collection, processing, sale, or sharing of the user data; and
- has more than 100,000,000 unique monthly visitors or users in the United States for a majority of months during the previous 1-year period.”
This definition would seem to include a small class of online entities while excluding most businesses that generate a material amount of their revenue from other activities. But, how “material” is defined would determine how a company like an auto manufacturer that derives significant revenue from both auto sales and the sale or sharing of personal data would be treated. Nonetheless, those entities that act as data brokers would be swept into this definition of commercial data operators, and they would need to meet the new responsibilities imposed on them.
Generally, the bill would require every commercial data operator to “provide each user of the commercial data operator with an assessment of the economic value that the commercial data operator places on the data of that user.” The agency charged with effectuating this portion of the bill, the FTC, would likely need to spell out what constitutes an “assessment of economic value.” Would this need to be consumer friendly and easily understandable?
Additionally, commercial data operators would have to reveal to all users the following
- the types of data collected from users of the commercial data operator, whether by the commercial data operator or another person pursuant to an agreement with the commercial data operator; and
- the ways that the data of a user of the commercial data operator is used if the use is not directly or exclusively related to the online service that the commercial data operator provides to the user
These disclosures seems straightforward and seem designed to better inform consumers about all the sources from which a commercial data operator is obtaining data and all the additional uses of user data beyond those immediate uses of the commercial data operator. Again, how this information is presented to consumers would be key, for if the format is barely intelligible or a sprawling spreadsheet, then one wonders how much the average use of Twitter would understand it. Additionally, would the FTC be able to aggregate these data and publish de-identified statistics on industry-wide data usage practices for commercial data operators? It would appear so. Additionally, the filings that must be made to the SEC would seem to present the FTC and the Department of Justice with a new source of data to investigate possible anti-competitive activity in the markets where commercial data operators are present.
Users must also be able to delete all the data a commercial data operator possesses subject to certain exceptions by the use of “a single setting” or “another clear and conspicuous mechanism by which the user may make such a deletion.” The excepted circumstances under which deletion may not occur are
- in cases where there is a legal obligation of the commercial data operator to maintain the data;
- for the establishment, exercise, or defense of legal claims; or
- if the data is necessary to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or assist in the prosecution of those responsible for such activity.
However, commercial data operators may not retain any more user data than is necessary to “carry out” the aforementioned exceptions to the general right of users to delete their data. This would seem to serve as a limit to an entity’s likely inclination to interpret such restrictions in ways most favorable to them. However, the extent to which these companies did not push the boundaries egregiously will hinge on FTC enforcement.
As mentioned, the FTC would enforce this new regime. Like virtually all the other privacy bills, the FTC would be empowered to treat acts contrary to the bill “as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act,” meaning the ability right off the bat to ask federal courts for civil fines of more than $40,000 per violation in addition to all the other enforcement tools the FTC normally wields in data security and privacy cases. Of course, the full panoply of the FTC’s other powers would still be available for such cases.
In a twist for a privacy bill, commercial data operators would need “to file an annual or quarterly report” with the SEC that must disclose” the aggregate value, if material, of—
- user data that the commercial data operator holds;
- contracts with third parties for the collection of user data through the online service provided by the commercial data operator; and
- any other item that the [SEC] determines, by rule, is necessary or useful for the protection of investors and in the public interest.
The SEC must also “develop a method or methods for calculating the value of user data required to be disclosed” and “provide quantitative and qualitative disclosures about the value of user data held” by some commercial data operators.”
These data disclosure requirements would likely bring much greater transparency into the data practices of a company like Facebook or Google, presumably allowing investors to better understand and value such companies. In a section-by-section summary, Warner and Hawley asserted two additional ways the bill would address data privacy and usage:
- making the value more transparent could increase competition by attracting competitors to the market.
- disclosing the economic value of consumer data will also assist antitrust enforcers in identifying unfair transactions and anticompetitive transactions and practices.
While these two bills take different approaches on data privacy by trying to leverage the economics of data, it is not clear how appealing these are to Democrats whose agreement will be needed before any privacy leverage can move forward. Possibly a modified version of the concepts in these bills could be added to a broader privacy bill such that entities collecting and sharing data would need to make additional disclosures to the SEC.