On December 18, 2019, staffers on the House Energy and Commerce Committee circulated a draft of a bipartisan privacy bill. The draft is currently unnamed and unfinished, but it lays out a comprehensive framework that expands both individuals’ rights to their data and the FTC’s enforcement role over digital privacy. Rep. Cathy McMorris-Rodgers (R-Wash.) and Rep. Jan Schakowsky (D-Ill.) have been particularly involved in working on the bill.
“We welcome input from all interested stakeholders and look forward to working with them going forward,” an Energy and Commerce spokesperson told The Hill. “This draft seeks to protect consumers while also giving data collectors clear rules of the road. It reflects many months of hard work and close collaboration between Democratic and Republican Committee staff.”
The draft bill echoes many of the provisions in the Consumer Online Privacy Rights Act (COPRA) introduced last month by Democratic senators. However, unlike COPRA, the bill is silent on two notable issues: whether individuals have a private right of action to assert violations and whether the bill would preempt state laws.
Here are some key elements of the bill:
Scope. The bill broadly defines covered information. With certain exceptions, it includes “any information about an individual possessed by a covered entity that is linked or reasonably linkable to a specific individual.” With certain exceptions, covered entities include all those that are subject to the FTC Act and that process covered information.
Individual Rights. Individuals are granted rights of access, deletion, and correction over covered information. In turn, covered entities are required to provide a mechanism for individuals to easily exercise those rights. The bill also contains several protections related to civil rights. It prohibits the entity from processing in a way that discriminates on the basis of protected classifications. The burden is on the entity to show that the processing was not intentionally discriminatory and was necessary, without reasonable alternatives, to achieve a substantial and legitimate interest.
Covered Entity Obligations. Covered entities are required to publish transparent and accessible privacy policies. They must also implement reasonable internal policies and security measures regarding covered information. Any breach of security—defined as unauthorized access to, acquisition of, or use of data containing covered information—requires confidential notification to the FTC. Furthermore, larger entities must annually file and certify a more “detailed and granular” privacy policy with the FTC and appoint a privacy protection officer in charge of compliance.
The bill generally prohibits processing covered information without express, affirmative consent, but it elaborates on this prohibition further with use cases. First, consent is implied to the extent processing is consistent with reasonable consumer expectations within the context of the interaction. Consent is not implied in cases of sensitive information, which includes:
- health information;
- biometric information;
- precise geolocation information;
- social security numbers;
- information concerning an individual’s race, color, religion, national origin, sex, age, or disability;
- contents and parties to communications;
- audio and video recordings captured through a consumer device;
- online browsing history with respect to sensitive information; and
- financial information, including bank account, credit card, debit card, or insurance policy numbers.
More importantly, for the following types of information, processing is only allowed to the extent it is consistent with reasonable consumer expectations within the context of the interaction:
- biometric information for purposes of identifying an individual or to verify an individual’s identity;
- precise geolocation information linkable to an identifiable individual or consumer device;
- covered information to attribute a consumer device or devices to a specific individual using probabilistic methods, such as algorithms or usage patterns;
- covered information obtained through a microphone or camera of a consumer device;
- the contents of an individual’s communications or the parties to such communications; and
- health information.
Second, entities may use covered information for first-party marketing, but individuals will have the right to opt out. Third, entities engaging in all other types of processing must have consent. Finally, entities must generally have consent to disclose covered information to third parties.
The bill also contains additional prohibitions related to waiver of rights. The entity must not condition its provision of a product or service based on an individual’s waiver of the rights discussed above. Furthermore, an entity may not provide financial incentives to seek the waiver of rights.
FTC Authority. The bill directs the FTC to establish a new Bureau of Privacy focused on digital privacy and security issues. The FTC is granted authority to enforce the provisions, along with state attorneys general.