Congress Releases Draft Privacy Bill

A comprehensive federal privacy law drew one step closer to reality earlier this month when a bipartisan group of representatives and senators released a draft of the proposed American Data Privacy and Protection Act.

Passage of the ADPPA, which combines elements of prior proposals in an effort to reach a legislative compromise, is still far from assured. But it represents a meaningful starting point for further discussions, and is already shaping the long-running debate on national privacy standards. This alert looks closely at the proposed statutory text that seeks to define the breadth and scope of a federal privacy regime that policymakers have contemplated for years.

Greater clarity about bill text and its overall prospects for passage are likely to emerge at the House Energy and Commerce Committee’s hearing scheduled for tomorrow at 10:30 a.m. ET.

Who is covered?

Entities that collect, process, or transfer covered data and are currently subject to FTC jurisdiction, as well as common carriers, and nonprofits are defined as “covered entities.” § 2(9)(A). This definition generally extends to entities that provide financial products and services other than banks, thrifts, and federal credit unions, which are exempt from the FTC’s jurisdiction. However, covered entities also include “any entity or person that controls, is controlled by, is under common control with, or shares common branding with another covered entity.” § 2(9)(B). Therefore, banks with nonbank affiliates may be subject to the ADPPA.

What is covered?

• Information that “identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including derived data and unique identifiers” is defined as “covered data.” § 2(8)(A).
  • “Derived data” is created by the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data about an individual or device. § 2(11).
  • “Unique identifier” is “a technologically created identifier that is reasonably linkable to an individual or device that identifies or is linked or reasonably linkable to 1 or more individuals,” including things like IP addresses, cookies, beacons, or similar technology; customer numbers; and unique pseudonyms or other forms of persistent or probabilistic identifiers. § 2(31).
• “Sensitive covered data” includes financial account numbers and access credentials; biometric, genetic, health, and demographic information; geolocation, online tracking, and television or streaming viewing information; government-issued IDs; private communications (unless the recipient is a covered entity); and information of individuals under the age of 17. § 2(22)(A). Payment transaction data is not specifically included, but the definition includes a catch-all for “any other covered data collected, processed, or transferred for the purpose of identifying the above data types.” § 2(22)(A)(xvi).

What is not covered?

Employee data, publicly available information, or de-identified data. § 2(10). Separately, the privacy and data security requirements do not apply to data that is handled “in compliance with” (rather than merely data that is “subject to”) the requirements of the GLBA, HIPAA, and/or the FCRA. § 404(a)(2)-(3).

What laws are preempted?

The bill takes a “jigsaw” approach to preemption that broadly claims preemption of state privacy laws, but preserves certain areas of state law (e.g., civil rights, data breach notification, and general consumer protection laws) and certain state-specific laws (e.g., the Illinois Biometric Privacy Act, the Illinois Genetic Information Privacy Act, and Cal Civ Code 1798.150). § 404(b).

What does the bill require?

The ADPPA models its requirements on state privacy laws and the GDPR, including:

• Data minimization: Covered entities may handle data only to the extent reasonably necessary and proportionate to provide or maintain a specific, requested product or service, or for a reasonably anticipated communication within the context of the business relationship, or as otherwise permitted by the bill. § 101(a).
• Opt-in and opt-out rights: The bill requires (i) an opt-in (via “affirmative express consent”) to process, collect, or transfer sensitive covered data; (ii) provision of a clear, conspicuous, and easy means to withdraw that consent; (iii) the right to opt out of targeted advertising; and (iv) the right to opt out of the transfer (or sale) of any covered data to a third party. § 204. “Affirmative express consent” is an affirmative act that “clearly communicates the individual’s freely given, specific, informed, and unambiguous authorization for an act or practice” in response to a covered entity’s specific opt-in request that itself must meet certain criteria — such as clearly describing the act or practice, clearly explaining the individual’s rights related to consent — and which the covered entity makes publicly available. § 2(1)(A-C). Continued use of a product or service does not qualify as express consent. The FTC would commission a study within 18 months of the bill’s passage on the creation of a privacy-protective, centralized opt-out mechanism. § 210(a).
• Privacy by design: Covered entities must establish and implement policies, practices, and procedures that account for privacy risks associated with the entity’s products and services, and implement reasonable training and safeguards, among other requirements. § 103(a).
• Transparency/privacy policy: Covered entities must make publicly available clear, conspicuous, and readily accessible privacy policies. The policy must include the covered entity’s identity and contact information, the categories of covered data collected or processed and processing purposes for each category, information about any third-party collecting entity, the time frame for retention or criteria for the time frame, and certain other requirements. § 103(b). Further, large data holders (those with over $250 million in annual gross revenues and who handle the covered data of more than 5 million individuals or the sensitive covered data of more than 100,000 individuals) must provide a short-form notice of their covered data practices. § 103(e).
• Access, correction, deletion, and portability rights: Individual data ownership and control, including the rights to access covered data and to export it in “a human-readable format that a reasonable individual can understand and download from the Internet.” § 203(a)(1)(A). Covered entities also must provide individuals the rights to access the name of any third party to whom covered data has been transferred, to access a description of the purpose for which data was transferred, to correct any inaccurate or incomplete information, and to delete covered data and notify any transferees of the deletion request. (§ 203(a)(1)(B-D)). These rights are subject to reasonable verification requirements and other exceptions, including that responses would result in the release of trade secrets.
• Algorithmic impact assessments: Any large data holder that uses an algorithm, solely or in part, to collect, process, or transfer covered data must conduct an impact assessment with specific requirements. § 207(c). Any covered entity that knowingly develops an algorithm, solely or in part, to collect, process, or transfer covered data must evaluate the design of the algorithm, including any training data used to develop it. A covered entity must use an external, independent auditor or researcher whenever possible to conduct the impact assessment or evaluation. § 207(c)(3).
• Data security safeguards: Entities must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures” that, at a minimum, assess vulnerabilities, take preventive and corrective action, evaluate preventative and corrective action, and dispose of unnecessary data. § 208(a-b).
• Additional requirements for “Third-Party Collecting Entities”: The bill requires third-party collecting entities (entities whose principal source of revenue derives from processing or transferring covered data not collected directly from the individual) to place a clear and conspicuous notice on their website or app that contains language to be developed through FTC rulemaking. § 206(a). These entities must also allow for individuals’ auditing of covered data (§ 206(b)), and must register with the FTC and abide by the requirements of a “Do Not Collect” registry link (§ 206(c)).
• Corporate accountability: Covered entities must annually certify to the FTC that they have established internal controls and reporting structures, and must appoint a privacy and data security officer, with additional requirements for large data holders, including periodic reviews, updates, audits, and “updated, accurate, clear, and understandable records of all privacy and data security practices.” § 301(a-c). Large data holders also must conduct a privacy impact assessment within the earlier of one year after enactment or one year after becoming a large data holder, with specific assessment requirements. § 301(d). A covered entity also must exercise reasonable due diligence in selecting a service provider and deciding to transfer covered data to a third party. § 302(c)(1). The FTC will publish guidance on complying with these requirements. § 302(c)(2).
• Requirements for service providers: A “service provider” is a covered entity that collects, processes, or transfers covered data while performing a service or function on behalf of, and at the direction of, another covered entity, if the handling of data is related to the performance of that service or function (or otherwise legally necessary). § 2(23). A service provider must only collect or process data for a purpose performed on behalf of and at the direction of a covered entity, except for legal purposes, must not transfer service provider data without the affirmative express consent of the individual (obtained by the covered data), and must delete service provider data as soon as practicable. And while a service provider is exempt from having to respond to data subject requests and the opt-in and opt-out requirements described above with respect to service provider data, it must (to the extent practicable) help a covered entity in responding to such requests. § 302.
• Requirements for third parties: Third parties are defined as persons or entities that collect, process, or transfer covered data that they received from a covered entity, which are not service providers with respect to that data, nor entities that share common branding and common control. § 2(27). Third parties may not process data for a purpose “inconsistent with the expectations of a reasonable individual,” but may reasonably rely on representations made by the covered entity regarding those expectations, provided the third party conducts reasonable due diligence and finds those representations to be credible. A third party also is exempt from the opt-in and opt-out rights described above with respect to third party data. § 302(b).

What does the bill prohibit?

• Restricted data practices: As part of a “duty of loyalty,” the ADPPA prohibits a number of data practices, including the collection, processing, or transferring of Social Security numbers (except for credit, authentication, or tax purposes), the transfer of any password (except for password managers), the transfer of precise geolocation information (absent affirmative express consent), and collection, processing, or transferring of biometric information (except for data security, authentication, to comply with legal obligations or with respect to legal claims, law enforcement purposes, or with affirmative express consent). § 102(a).
• Conditional service or pricing: Covered entities cannot deny, condition the provision of a product or service, offer differential pricing, or terminate service based on an individual’s agreement to waive any rights under the ADPPA or its regulations. § 104(a). This does not prohibit a covered entity from offering a loyalty program that provides discounted or free products or services, or other consideration, in exchange for an individual’s continued business, provided that the program otherwise complies with the ADPPA and its regulations. § 104(b).
• Dark patterns: The law prohibits obtaining, or attempting to obtain, an individual’s affirmative express consent through false or misleading statements or “the design, modification, or manipulation of any user interface with the purpose or substantial effect of obscuring, subverting, or impairing a reasonable individual’s autonomy, decision making, or choice to provide such consent or any covered data.” § 2(1)(D).
• Targeting advertising to minors or transferring their data: Covered entities with actual knowledge that an individual is under 17 may not (i) target advertising to that individual or (ii) transfer covered data without the express affirmative consent of the individual or her parent. § 205.
• Algorithmic bias: Covered entities may not “collect, process, or transfer covered data in a manner that discriminates or otherwise makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, gender, sexual orientation, or disability.” § 207(a)(1). Exceptions include self-testing to prevent discrimination. § 207(a)(2).
• Mandatory arbitration clauses for minors: The bill prohibits mandatory arbitration clauses and class action waivers with respect to minors only. § 403(b)(1-2).

What are the general exceptions to the bill?

• Facilitating transactions, maintaining products and services, and preventing fraud: Among other exceptions, the  ADPPA specifically carves out (subject to data minimization requirements) the collection, processing, or transferring of data to (1) “initiate or complete a transaction or fulfill an order or service specifically requested by an individual, including any associated routine administrative activity such as billing, shipping, and accounting”; (2) to “maintain a product or service for which such covered data was collected [or to] conduct internal research or analytics to improve products and services” (so long as such data is not transferred); (3) to detect or respond to a security incident; (4) to protect against fraudulent or illegal activity”; or (5) to comply with a legal obligation. § 209(a)(1-5).
• GLBA, FCRA, and HIPAA-compliant data: Data that complies with the data privacy requirements of the GLBA, FCRA, or HIPAA are exempt from related requirements in the ADPPA. § 404(a)(2). Further, data that complies with the data security requirements of the GLBA or the Health Information Technology for Economic and Clinical Health Act are exempt from related requirements in the ADPPA. § 208(d).
• “Small data” exception: A covered entity establishing that during the three preceding calendar years (or since its inception, if less than three years old), it (a) made less than $41 million in annual gross revenues; (b) did not annually handle data of more than 100,000 individuals; and (c) did not derive most of its revenue from transferring covered data over any year, is exempt from (i) the bill’s specific data security requirements other than a document-retention policy; (ii) the requirement to appoint a privacy and data security officer; and (iii) the bill’s data portability requirement. § 209(c).

Other provisions

• Technical compliance programs: The ADPPA also establishes guidelines for the FTC to draft regulations that create a process for proposing and approving technical compliance programs. These programs relate to any technology, product, service, or method used by a covered entity to collect, process, or transfer covered data. While approval of a technical compliance program does not limit the FTC’s enforcement authority, compliance history and action taken to remedy noncompliance is taken into consideration. § 304.
• Commission-approved compliance guidelines: A covered entity also may apply to the FTC for approval of one or more sets of compliance guidelines, which the commission can approve after public comment. The FTC can withdraw its approval if it determines that the guidelines no longer meet the requirements of the act or its implementing regulations or that compliance is insufficiently enforced at the independent organization administering the guidelines. A covered entity that is eligible to participate, and participates in guidelines approved under the ADPPA, will be deemed in compliance with the act. § 305.

Who would enforce the law?

• The FTC: The bill would significantly expand the FTC, creating a new bureau “comparable in structure, size, organization, and authority to the existing Bureaus within the Commission related to consumer protection and competition,” in addition to a new division for Youth Privacy and Marketing. § 401(a); § 205(c). Any violation of the ADPPA, or regulation promulgated under the law, would be treated as a UDAP violation. § 401(c).
• State AGs: The states may bring a lawsuit in federal district court on behalf of their residents to enjoin a violation of the ADPPA; enforce compliance; obtain damages, penalties, or other restitution; and to obtain reasonable attorneys’ fees and costs, and the FTC has the right to intervene in those actions. § 402.
• Individuals: Four years after the law takes effect, individuals (or a class) may bring a lawsuit in federal court to obtain compensatory and/or injunctive or declaratory relief, and reasonable attorneys’ fees and costs. § 403(a)(2). Sen. Maria Cantwell, a Democrat from Washington, has stated her opposition to the four-year delay on the private right of action, saying that “consumers deserve the ability to protect their rights on day one.” Consumers would have to notify the FTC and state attorneys general first, who could decide to “independently take action” based on the violation. § 403(a). The bill also provides a “right to cure” that can limit actions for injunctive relief against “small data” collectors, and contains requirements for demand letters. § 403(b-c). 

We will cover tomorrow’s hearing and future privacy developments in our InfoBytes Blog.