On December 12, 2018, Senator Brian Schatz (D-HI) led a group of fifteen Democratic senators in introducing the “Data Care Act of 2018,” which would impose duties of care, loyalty, and confidentiality on online service providers with respect to processing and securing user data. The bill would also provide the FTC with rulemaking authority and the ability to levy substantial civil penalties for noncompliance with its provisions.
This bill comes on the heels of Senator Ron Wyden’s release of a draft “Consumer Data Protection Act,” which also expanded FTC authority and created significant civil fines. (See analysis of Senator Wyden’s bill here, and related coverage on the Senate’s approach to data privacy here and here.) Several other privacy frameworks have already been introduced this year by both Democratic and Republican lawmakers, and additional bills may be introduced in 2019.
Key aspects of Senator Schatz’s bill include:
Scope: The bill applies to “online service providers” that engage in interstate commerce and, in the course of business, collect individually identifying data about end users, “including in a manner that is incidental to the business conducted.” The Act authorizes the FTC to promulgate regulations that exempt certain online service providers from the Act’s requirements, after consideration of the privacy risks posed by these providers, and the costs and benefits of imposing the bill’s requirements upon them.
The bill protects end users’ “individually identifying data,” which means any data collected over the internet (or other digital network) that is linked or reasonably linkable to specific users or devices.
Duties of Care, Loyalty, and Confidentiality: The bill would create new duties of care, loyalty, and confidentiality for online service providers:
- Duty of Care: Providers must “reasonably secure” individually identifying data from unauthorized access. If providers breach this duty with respect to end users’ sensitive data, they must promptly notify these users. The bill defines “sensitive data” to include information such as unique biometric data, personal information collected from a child, and financial and health information. The FTC also has the authority to expand this breach notification requirement to other categories of individually identifying data other than sensitive data.
- Duty of Loyalty: Providers have a duty of loyalty to refrain from using end users’ individually identifying data, or data derived therefrom, in any manner that will benefit the provider to the detriment of the user. A potential limiting factor of this broad prohibition is that these uses must also result in reasonably foreseeable and material physical or financial harm to the user, or be unexpected and highly offensive to a reasonable user.
- Duty of Confidentiality: Providers have a duty of confidentiality to not disclose, sell, or share individually identifying data with other persons. The bill outlines an exception to this prohibition where such disclosure is consistent with the providers’ duties of care and loyalty, and the person with whom data is shared is contractually required to abide by the same duties as the provider. Even after entering into such a contract, the provider must reasonably ensure that these other persons fulfill their duties, including by regular audits of their data security and information practices.
Federal and State Approach to Enforcement: The bill would not preempt state privacy and data security laws. Additionally, the bill authorizes enforcement of its provisions by the FTC, state attorneys general, and state consumer protection officers:
- FTC: The bill provides the FTC with rulemaking authority and the ability to enforce its provisions with respect to nonprofit organizations and common carriers. Additionally, although the enhanced civil penalty authority (described below) is outlined in the “Enforcement by States” section of the bill, Senator Schatz’s press release indicates that the FTC will also be given the authority to impose fines.
- State Attorneys General: State Attorneys General may bring enforcement actions against providers and seek civil penalties under the bill, but the FTC can intervene.
- State Consumer Protection Officers: These state officers may also bring enforcement actions against providers, subject to the same requirements and limitations of State Attorneys General.
Substantial Civil Penalties for Knowing or Repeated Violations: Online service providers that knowingly or repeatedly violate their duties under the bill may receive an enhanced civil penalty, which multiplies the civil penalty for which an entity may liable for under the FTC Act by the greater of (1) the number of days the provider was noncompliant, or (2) the number of end users who were harmed as a result of the violation. The bill does not explicitly define “harm,” but other language in the bill describing providers’ duty of loyalty suggests that it may be limited to “reasonably foreseeable and material physical or financial harm.”