Gold gavel on platform

Searching for the One Ring to Rule Them All: A Look at 8 U.S. Federal Privacy Bills

Image Credit: 3D Animation Production Company from Pixabay

This article is Part 1 of 2 in a series exploring proposed federal privacy laws in the United States. Part 2 will discuss the constitutional challenges facing not only a proposed federal privacy law but those facing existing state privacy laws as well.

As predicted in our Privacy Law Forecast for 2019, legislators have raced to introduce national privacy regulation in both the House and Senate this year.

In contrast to the European Union’s GDPR, a hodgepodge of sectoral laws govern privacy in specific industries: medical, financial, educational, and marketing sectors, among others. States have enacted laws to protect their residents. And on top of that, Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45) grants authority to the FTC to enforce against unfair and deceptive acts and practices.

This all results in a confusing and burdensome “patchwork” of national, state and sectoral rules. (For more in-depth discussion on the current U.S. privacy regulatory landscape, please see American Privacy Laws in a Global Context.)

Given this regulatory environment, legislators are keen to put forth a single federal privacy law to standardize this “patchwork” and forestall the passage of dozens more state privacy bills. Some have set a deadline, hoping to pass a federal privacy law before the CCPA comes into effect on January 1, 2020. Since the start of 2019, lawmakers have introduced about 230 bills that regulate privacy in some way in either the House or Senate.

The following is a sample of comprehensive bills from both sides of the aisle. Though these bills are unlikely to pass committee, they indicate what policies lawmakers are considering in the current negotiations:

Title Introduction Date Sponsor Notes
American Data Dissemination Act of 2019 (“ADD Act”) January 16, 2019 Senator Marco Rubio (R-FL) This bill would require the FTC to submit recommended privacy regulations on “covered providers” (defined as any person that provides services over the internet) to Congress. If Congress fails to enact a law based on the FTC’s recommendations, the FTC would promulgate a final rule incorporating its proposed regulations. Only the FTC has powers of enforcement. This bill further allows for the preemption of state law.
Social Media Privacy Protection and Consumer Rights Act of 2019 January 17, 2019 Senator Amy Klobuchar (D-MN) This bill would require online platforms to inform the user of any data collection and use, offer the user a copy of their personal data, and allow the user to opt out of data tracking. The bill also requires breach notification within 72 hours of detection. Only the FTC and state attorneys general have the power to enforce violations.
Digital Accountability and Transparency to Advance Privacy Act (“DATA Privacy Act”) February 27, 2019 Senator Catherine Cortez Masto (D-NV) This bill would require companies to provide users with a fair processing notice and to allow users to access, port, or delete their own records. It would mandate users’ opt-in consent in situations involving sensitive data or data outside the parameters of the business-consumer relationship. Companies that collect data on more than 3,000 people a year and revenues greater than $25 million per year must appoint a Data Protection Officer (DPO). The FTC, state attorneys general, and any other officer authorized by the State to bring civil actions would have the power to enforce this law.
Own Your Own Data Act March 14, 2019 Senator John Kennedy (R-LA) This bill would require social media companies to have a “prominently and conspicuously displayed icon” that a user can click to easily access and port their information. It would characterize user account registration as a “licensing agreement” wherein the user would license the user’s data to the social media company.
Information Transparency & Personal Data Control Act April 1, 2019 Representative Suzan DelBene (D-WA) This bill would require any company to first procure users’ opt-in consent before processing sensitive data. Companies must also provide users with fair processing information. The bill requires companies to obtain third-party privacy audits and to submit the audits to the FTC biannually. Only the FTC would enforce this law. This bill further allows for the preemption of state law.
Balancing the Rights of Web Surfers Equally and Responsibly Act of 2019 (“BROWSER Act”) April 10, 2019 Senator Marsha Blackburn (R-TN) This bill would require providers of broadband internet access service and edge services to notify users of the providers’ privacy policies; obtain users opt-in consent in order to process sensitive information and opt-out consent for non-sensitive information; and prohibits providers from conditioning services on waivers of privacy rights. The bill further allows for the preemption of state law.
Privacy Bill of Rights April 11, 2019 Senator Edward Markey (D-MA) This bill would require companies provide users with fair processing information and the right to access, port, or delete their own records. Companies would be prohibited from offering “take-it-or-leave-it” arrangements or financial incentives in exchange for users’ personal information. Companies would also have to procure users’ opt-in consent before processing personal information. Under this bill, companies must designate an employee in charge of privacy/security compliance, no matter the size or annual revenue of the company. The FTC, state attorneys general, and individuals would be able to sue to enforce the law.
Do Not Track Act May 21, 2019 Senator Josh Hawley (R-MO) This bill would establish a national Do Not Track (DNT) system and require any website or application operator to search for a DNT signal upon connection. The bill would make it illegal to collect data from devices displaying a DNT signal. Only the FTC and state attorneys general have the power to enforce violations.

As we can see, the fault lines are clear and not surprising. Democratic lawmakers generally favor a private right of action for consumers to sue a company that has mishandled consumer data. Republican lawmakers are generally against including such a provision. Republican lawmakers typically favor an express right of preemption, so that a laxer federal privacy law may preempt stringent state laws such as the CCPA. Democratic lawmakers are largely against the inclusion of such provisions, unless the bill provides consumer rights equivalent in scope and depth to the CCPA.

Regardless of whether or not a federal privacy law passes, businesses and the courts have their work cut out for them. Constitutional and interpretive challenges will plague the reach of any state or federal comprehensive privacy law, making it difficult to assess coverage for overlapping sector, state, and federal rules.

Consequently, as we will discuss further in our next article, legislators should consider these constitutional challenges head on prior to passing the “one” best bill to rule them all. Without clearly articulating the scope of any privacy law (e.g. does it extend across state borders and internationally), its preemption over or exclusions for other laws (e.g. GLBA, HIPAA, COPPA), and its relationship to third parties that only touch data incidentally – any comprehensive legislation will just add to the quagmire of current laws.

Federal Trade Commission logo

The FTC Ramps Up Privacy Enforcement

Following increased congressional scrutiny over its data privacy enforcement practices in 2018, the FTC has ramped up its enforcement actions in recent months, giving some real bite to current federal privacy laws:

  • On February 27, 2019 the FTC filed a complaint against the operators of lip-syncing app Musical.ly—now known as TikTok – for failing to seek parental consent before collecting the personal information of users under the age of 13. In response to the FTC’s complaint, TikTok agreed to pay a $5.7 million settlement to the agency, marking the largest-ever COPPA fine in US history.
  • Throughout March, the FTC obtained settlements against 4 separate robocall operations: NetDotSolutions, Higher Goals Marketing, Veterans of America, and Pointbreak Media. These cases charged these separate entities for violations of the FTC Act (unfair and deceptive trade practices) and the agency’s Telemarketing Sales Rule (TSR) – including its Do Not Call (DNC) provisions.
  • On March 26, 2019 the FTC announced a broad inquiry into the data collection practices of broadband companies under Section (b) of the FTC Act. The agency issued orders to AT&T Inc., AT&T Mobility LLC, Comcast Cable Communications doing business as Xfinity, Google Fiber Inc., T-Mobile US Inc., Verizon Communications Inc., and Cellco Partnership doing business as Verizon Wireless, seeking information about the collection, retention, and sharing of personal information. The FTC investigation highlights recent consumer concerns about data privacy and tracking by ISPs, following high-level acquisitions of content providers like AOL, Yahoo, and DirectTV. We are watching closely, as this may be the start of one of the first joint privacy-antitrust enforcement actions by the FTC.

These enforcement actions highlight the FTC’s role as the de facto data protection authority for the United States. Yet, the FTC’s mandate extends far beyond data privacy, and includes regulatory authority over false advertising claims, anticompetitive behavior, and merger review. While Congress continues to debate the passage of a federal bipartisan privacy bill, it behooves them to keep in mind the current staff and funding limitations of the FTC in any proposed drafts.

Picture of Lily Li on Critical Mass Radio

Metaverse Law on Critical Mass Radio Show

On February 13, 2019, Lily Li of Metaverse Law appeared on Critical Mass Radio Show to discuss trends in privacy law and general pointers for businesses. Three takeaways from the show include:

  1. Regardless of the size of your company, consider data privacy. The size of your company itself is not as relevant as is the customer data you process. Even if you are a small company, but have a large customer base, chances are you should be looking at the data privacy regulation in your state. If you have customers overseas, such as in Europe, it is important to realize that you will then fall under European privacy laws. Privacy laws have to do with where your customers are, rather than simply where your company is based. Be aware and do your research to ensure that you are complying to the regulation that impacts your firm.
  2. Data belongs to the individual. While in the past, customer data was thought of as the company’s intellectual property, this is no longer the case. Customer data belongs to the individual, so treat it like it is their property ­ not just yours. Your clients have the right to tell your company what they want (and don’t want) done with their data, so it is crucial to ensure that you have a process in place to comply and verify with your customer.
  3. Put your data house in order. Data security affects many departments in your company, from the front end to the back end. As such, it is important to find a workflow so customer data is protected throughout its entire life cycle. Start by gathering all of your company’s department heads together in a room and ask them this key question: “Where do you store data?” From there, it will be clear what needs to be addressed when it comes to your data.

Listen to the full interview here:

Pole with sign saying "future".

Privacy Law Forecast for 2019

Image Credit: ID 23689850 © Steve Ball | Dreamstime.com

This past year was quite a whirlwind for privacy and cybersecurity watchers. Just to sum up a few of the top events of last year:

  • Facebook’s Cambridge Analytica scandal rocked political headlines
  • Europe introduced the GDPR, the most comprehensive data protection legislation to date in the world
  • California enacted the California Consumer Privacy Act, becoming the first US state to create GDPR-style rules
  • Google came under fire for allowing app developers to read your email, and track your location (even with location tracking off!)
  • Marriott’s guest reservation system was hacked, exposing the personal information of up to 500 million guests, including passport numbers and payment numbers for some of those hacked

What will happen in 2019? Here are our top 5 predictions:

Continue Reading Privacy Law Forecast for 2019

Image of gears directing arrows to shield.

California Consumer Privacy Act vs GDPR – How to Maximize Your Privacy Compliance Program

California’s recent passage of the Consumer Privacy Act of 2018 now places the world’s fifth-largest economy under European style data protection rules. Given the new law, US businesses that were previously hesitant to implement GDPR are now reconsidering their position.

Luckily, the GDPR and the California Consumer Privacy Act (CCPA or CaCPA) share some similarities. Both provide for consumer-facing privacy notices, data access rights, and data portability. As businesses automate their GDPR compliance processes, they should also leverage those same processes under the CaCPA to save significant time and expense.

Below, we have listed five common operational steps that all businesses should take in their GDPR and CaCPA privacy compliance programs:
Continue Reading California Consumer Privacy Act vs GDPR – How to Maximize Your Privacy Compliance Program

1 2 3 4