As we reported earlier today, the long-awaited White House draft of privacy and data security legislation has been released. While the United States does not today have a comprehensive privacy and data security law, the proposed Consumer Privacy Bill of Rights would impose a suite of substantive privacy and data security obligations across sectors and industries. Our sense is that it would be uphill battle for this sort of sweeping privacy legislation to gain traction in Congress over the next two years.
We have answered your key questions about this proposed legislation below, including:
Who would the bill apply to?
How is “personal data” defined under the bill?
What are the substantive obligations?
Are there any safe harbors?
How would the bill be enforced?
Does the bill preempt state laws?
Who would the bill apply to? The proposed Consumer Privacy Bill of Rights would apply broadly to companies and other entities (including non-profit organizations) that collect, use, or otherwise process personal data, which, as noted below, is defined quite broadly. There is a carve out for companies with 25 or fewer employees that only process employee and job applicant personal data, as well as a carve out for companies that do not process certain sensitive data (e.g. SSNs, medical history, precise geolocation information) and that either process the personal data of fewer than 10,000 individuals and devices per year or that have 5 or fewer employees. The bill does not carve out companies that are also subject to obligations pursuant to other federal privacy or data security laws, such as financial institutions and health care covered entities.
How is “personal data” defined under the bill? Personal data is defined quite broadly as any data that is linked or linkable to a specific individual or that is linked to a device that is associated with or routinely used by an individual. It specifically includes “unique persistent identifiers” and “unique identifiers or other uniquely assigned or descriptive information about personal computing or communication devices.” In contrast to EU data protection principles, the bill would carve out certain employee data, including an employee’s name, title, and business contact information. The bill would also carve out certain “cyber threat indicators” that are processed to respond to a cybersecurity threat or incident.
What are the substantive obligations? A summary of the key substantive provisions is as follows:
- Transparency. Companies would be required to provide consumers concise and easily understandable notice about their privacy and security practices. The notice would be required to include certain categories of information.
- Individual Control. The draft specifies that companies would be required to provide individuals with “reasonable means to control the processing of personal data about them in proportion to the privacy risk to the individual and consistent with context.”
- While the draft bill does not provide specific guidance about how this principle would be applied, the bill contemplates that there would be at least some contexts in which the principle would require consumers be afforded the right to request the deletion or de-identification of their personal data. Upon such a request, companies would have 45 days to delete or de-identify the personal data.
- The bill specifically notes that the principle would not require companies to respond in a manner that is not compatible with a legal obligation to retain or “any applicable First Amendment interest of the covered entity in the personal data.”
- Respect for Context. In the event a company processes personal data “in a manner that is not reasonable in light of context,” the company would be required to conduct a privacy risk analysis and then take reasonable steps to mitigate any identified privacy risks. At a minimum, these reasonable steps would include (1) in-context notice regarding the “unreasonable” personal data practices (e.g., so-called “just in time” notices) and (2) “a mechanism for control that is reasonably designed to permit individuals to exercise choice to reduce such privacy risk.”
- The legislation also contemplates the formation of one or more Privacy Review Board(s) approved by the FTC. “Unreasonable” analysis of personal data under the supervision of a Privacy Review Board would not be subject to the heightened transparency and control requirements described above.
- The bill sets forth an additional requirement to conduct a “disparate impact analysis” before “analyzing” personal data in a manner that is “not reasonable.” The prescribed disparate impact analysis―which requires companies to evaluate whether the practice results in disparate impact on individuals based on protected characteristics―may be designed to target certain “big data” analytics.
- Focused Collection and Responsible Use. Under the bill, companies may only collect, retain, and use personal data in a manner that is reasonable in light of context. Companies must delete or de-identify personal data without a reasonable time after the purposes for which the personal data were first collected are fulfilled.
- Note that the required privacy notice described above specifically would require companies to disclose when personal data will be deleted or de-identified or, if applicable, the fact that the company does not delete or de-identify personal data.
- Notwithstanding the general rule, the legislation indicates that companies may process, retain, and use data more expansively if they provide heightened transparency and individual control or are performing an “analysis” under the supervision of a Privacy Review Board.
- Security. companies would be required to implement information security controls, including a process to identify reasonably foreseeable risks to the privacy and security of personal data, safeguards reasonably designed to secure personal data, and a process to regularly assess and adjust such safeguards. The proposed bill specifies that the reasonableness of such practices would evaluated against “widely accepted practices,” among other factors.
- Access and Accuracy. The bill requires companies (1) to provide individuals with reasonable access to their personal data; (2) to maintain reasonable procedures to ensure that personal data under their control is accurate; and (3) to provide individuals with reasonable means to dispute and resolve concerns about the accuracy or completeness of personal data about them that is under a company’s control. The bill sets forth certain exceptions, limitations, and nuances to each of these three requirements.
- Accountability. The bill affirmatively requires companies to adopt certain measures that are commonly thought of as relating to “privacy by design,” including obligations to “build[] appropriate consideration for privacy and data protections into the design of its systems and practices.” The bill also requires companies to provide employee training. It also requires companies to “bind[] any person to whom the covered entity discloses personal data to use such data consistently with the covered entity’s commitments with respect to the personal data . . . .” There is no express carve out for third parties with whom a company shares personal data pursuant to the heightened transparency and control requirements.
Are there any safe harbors? The bill outlines a process for the development of industry codes of conduct and their review and approval by the FTC. The bill sets forth a “safe harbor” against enforcement of the substantive provisions of the statute for any defendant who adheres to an approved code of conduct and is in compliance with such code of conduct.
How would the bill be enforced? The proposed bill would give the FTC the authority to enforce violations. While the Federal Trade Commission does not generally have civil penalty authority for violations of Section 5 of the FTC Act, the bill would specifically authorize specific civil penalties of up to $25,000,000 for violations that involved a company’s actual knowledge or knowledge fairly implied. In addition, state attorneys general would be authorized to seek injunctive relief for violations of the statute on behalf of state residents. The bill would not authorize consumers (or class action lawyers) to file private rights of action.
Does the bill preempt state laws? The bill does not preempt the ability of state regulators to enforce their consumer protection laws of general application, although it would preempt state laws that specifically regulate personal data processing.