By Caleb Skeath
As we reported yesterday, the Congressional Privacy Bill has been released, following the release of the White House’s proposal for a privacy bill in late February. The bill contains the Commercial Privacy Rights Act of 2015, the Congressional counterpart to the White House’s proposal, along with data breach notification provisions and the “Do Not Track Kids Act of 2015,” which proposes substantial revisions to the Children’s Online Privacy Protection Act (COPPA). As with the White House proposal, the Privacy Rights Act would implement a comprehensive regime of substantive privacy requirements. Our analysis of the Commercial Privacy Rights Act is below, and we will separately post further analysis of the data breach provisions as well as the Do Not Track Kids Act.
Who would the bill apply to? The bill would apply to entities within the FTC’s Section 5 jurisdiction, common carriers under the Communications Act, and 501(c) non-profit organizations.
However, an entity that collects, uses, transfers, or stores “covered information” regarding fewer than 5,000 individuals during a consecutive 12-month period would not be subject to the bill’s provisions. Unlike the White House proposal, the bill does not carve out exceptions for entities that have a small number of employees or that do not process certain sensitive types of data.
The bill also applies to “service providers” and “third parties.” A “service provider” that receives covered information in performing services on the covered entity’s behalf would be required to sign a contract that requires the service provider to collect, use, and store the covered information as if it were a covered entity. The bill defines “third parties” as entities that are not under common ownership with a covered entity or are related to a covered entity in a manner that an ordinary consumer would not understand. Third parties that receive covered information from a covered entity would be subject to the same restrictions as a covered entity unless they establish a business relationship with the individual providing covered information or identify themselves to the individual providing covered information at the time of collection.
How is “covered information” defined under the bill? The bill defines “covered information” to include both “personally identifiable information” and “unique identifier information.” Although the definition of PII is not as broad as that contained in the White House bill, each of the following types of information, by themselves, would qualify as PII:
- Physical address;
- Email address;
- Telephone number;
- SSN or other government ID number;
- Unique identifier information that, by itself, can be used to identify an individual;
- Credit card account number; or
- Biometric data.
In addition, the following types of information would qualify as PII when paired with one of the types of PII listed above:
- Date, certificate, or place of birth;
- Unique identifier information that cannot be used to identify an individual by itself;
- Precise geographic location;
- Information about the use of voice services; or
- Any other information that could be reasonably used to identify an individual.
Unique identifier information, meanwhile, would include unique persistent identifiers associated with an individual or networked device. Examples provided include a customer number in a cookie, a user ID, or a device serial number.
How is “unauthorized use” defined under the bill? A number of the bill’s substantive requirements relate back to the concept of “unauthorized use,” which the bill defines as the use of covered information for any purpose not authorized by the individual. However, the bill includes numerous exceptions to this definition, such as processing transactions, fraud prevention, legal requirements, criminal investigations, marketing or advertising under limited circumstances, the improvement of products or services, or by necessity for internal operations.
Substantive Obligations: A summary of the key substantive provisions of the bill is as follows:
- Security: The FTC would be required to initiate a rulemaking proceeding to require covered entities to utilize security measures to protect the covered information they maintain. The security measures would be proportional to the size and type of entity and consistent with existing FTC guidance and industry practices.
- Accountability: Covered entities would be required to have “managerial accountability” for the adoption and implementation of policies consistent with this bill, as well as a process to respond to non-frivolous complaints from individuals regarding covered information.
- Privacy by Design: Covered entities would be required to implement “comprehensive” information privacy programs, including development practices throughout the product life cycle to safeguard PII, as well as appropriate management processes and practices throughout the data life cycle.
- Transparent Notice: The FTC would be required to initiate a rulemaking to require covered entities to provide notice of the entity’s collection, use, transfer, and storage of covered information, as well as the purposes of those practices. Entities would also be required to provide notice before instituting material changes to these practices. The FTC would be permitted to provide guidance for drafting notices and model notice templates, as well as alternate means for entities unable to provide notice when the information is collected.
- Individual Participation: The FTC would be required to initiate a rulemaking proceeding to require covered entities to provide opt-in consent for use of covered information that would otherwise be unauthorized, as well as for use of covered information by a third party for behavioral advertising or marketing. Covered entities would have to allow individuals access to their covered information, a means for correcting errors, and a means for transferring it to another entity.
- Data Minimalization: A covered entity would only be allowed to collect covered information as reasonably necessary to process requested transactions, deliver requested services, prevent fraud, investigate crimes, comply with legal obligations, market or advertise under certain circumstances, or for internal operations. Data retention would be limited to the period required to complete a transaction or provide a service (if a transaction or service exists), and data could only be used for reasonably related purposes.
- Constraints on Data Use: Covered entities would be required to execute contracts with third parties requiring them to abide by the provisions of this bill, although the FTC would retain the power to exempt specific third parties from this requirement. Third parties would be prohibited from combining data in the absence of opt-in consent. Covered entities would be required to conduct due diligence on the third party prior to entering into a contract and would be prohibited from contracting with third parties who have intentionally or willfully violated the provisions of the bill or are “reasonably likely” to do so.
- Data Integrity: Covered entities would be required to maintain procedures to ensure accuracy of covered information where it could be used to deny consumers benefits or cause “significant harm.” Certain types of covered information would be exempt, including covered information provided directly by the individual or from another entity at the request of the individual.
Are there any safe harbors? The bill would provide for the development of self-regulatory safe harbor programs administered by non-governmental organizations under the supervision of the FTC. However, compliance with a safe harbor program would not relieve a covered entity of the obligation to comply with the bill’s security, accountability, and privacy by design provisions. In addition, entities that would otherwise be covered under the bill would be exempt to the extent that they are subject to provisions of other enumerated federal laws, including the Right to Financial Privacy Act, FCRA, the Fair Debt Collection Practices Act, COPPA, GLBA, FERPA, HIPPA, and section 227 of the Communications Act of 1934.
How would the bill be enforced? Any violation of the bill would be treated as an unfair or deceptive trade practice, enforceable by the Federal Trade Commission. State attorneys general would be allowed to bring a civil action enforce the bill’s provisions if the interests of state residents are adversely affected, but any civil action brought by the FTC would preempt the enforcement powers of the state attorneys general. The bill would provide for civil damages for violations of the security, accountability, privacy by design, transparent notice, and individual participation provisions of up to $33,000 per day of non-compliance or per individual that the entity failed to obtain consent from, up to a maximum of $6 million for any “related series of violations.” The bill would not provide a private right of action.
Does the bill preempt state laws? The bill would preempt state laws relating to the collection, use, or disclosure of covered information or PII. However, the bill would specifically preserve state laws regarding the collection, use, or disclosure of health or financial information, as well as state laws relating to acts of fraud.