Deadline Nears for Comments on Draft Comprehensive Privacy Legislation
With the release of an important discussion draft, the United States has taken a significant step toward the enactment of comprehensive federal privacy legislation. Earlier this month, two senior members of the House of Representatives Committee on Energy and Commerce, Reps. Rick Boucher, D-Va., and Cliff Stearns, R-Fla., circulated a discussion draft of a bill to jump-start legislative efforts to address consumer privacy issues. While initially prompted by online privacy concerns, the bill as drafted would have a far broader reach, with significant implications for most enterprises that collect, use or disclose consumer data for any reason. The bill would impose a new array of privacy requirements on a host of online and offline entities and subject them to potential civil penalty or damages actions for failure to comply. The bill’s authors have announced a June 4, 2010, deadline for interested parties to share comments or concerns. Independent of the bill’s prospects for further action this year, potentially affected parties should note that the product that emerges from this process will likely form the basis for privacy legislation to be considered in the 112th Congress. If you would like to discuss the potential impacts of this landmark legislation or how best to convey your concerns to legislators, please contact the individuals noted in this alert’s Contact Information section.
The draft bill, if enacted, would be the first federal law of its kind and would broadly prohibit most entities—“covered entities”—from collecting, using or disclosing “covered information” for any purpose without first providing notice to consumers and giving consumers the option to decline consent to—or “opt-out” of—the collection, use and disclosure of their information. The draft bill would also carve out certain situations where more stringent affirmative—or “opt-in”—consent would be required. Set forth below is an overview of the draft bill, followed by a brief assessment of the bill’s prospects for passage.
OVERVIEW OF DRAFT COMPREHENSIVE PRIVACY LEGISLATION
The sweeping draft bill would create new obligations for most entities that collect personal information on a large scale. The draft bill would apply to “covered entities,” defined to include any person engaged in interstate commerce that collects “covered information,” except government agencies or persons that collect non-sensitive information from fewer than 5,000 individuals per year. “Covered information” includes virtually any identifier that can be tied back to a particular person, such as names, addresses, telephone and fax numbers, e-mail addresses, unique biometric data, Social Security numbers, financial account numbers, credit card numbers, any “unique persistent identifiers” (e.g., customer numbers, aliases, IP addresses) and “preference profiles” (i.e., a list of information or preferences associated with a specific individual or computer/device).
Highlights of the draft bill include—
Notice and Opt-Out Consent Generally Required for Collecting, Using or Disclosing Covered Information.
Generally, the draft legislation would prohibit a covered entity from collecting, using or disclosing covered information for any purpose—other than purposes considered “operational or transactional”—without first providing a privacy notice to the consumer and obtaining adequate consent. The draft bill contains a rather extensive list of requirements for the types of information privacy notices must contain. The draft also specifies that consent would be assumed if the entity informed the individual of his or her right to decline consent, presumably through the privacy notice, and the individual either affirmatively granted consent or did not decline consent. An individual would be allowed to withdraw his or her consent and, upon such withdrawal, entities would be prohibited from collecting additional data or from making additional use of information previously collected.
Notice and Opt-In Required for Activities Involving Sensitive Information, Sharing Information with Unaffiliated Third Parties and Tracking Online Activity across Numerous Web Sites.
One of the most significant aspects of the bill is its establishment of an opt-in regime under which the consumer’s express affirmative consent would be required in certain situations. Specifically, such express consent would be required in three circumstances:
- Sensitive Information. This higher opt-in standard would apply to the collection and disclosure of “sensitive information.” Sensitive information would be defined to include an individual’s “medical records” (e.g., medical history, conditions or treatment), financial records and other financial information, precise geolocation information, and information about an individual’s race, ethnicity, religious beliefs or sexual orientation—to the extent such information is associated with covered information about the individual.
- Unaffiliated Party. Opt-in would also be required before an entity could sell, share or otherwise disclose covered information to an unaffiliated third party. The draft bill provides an exception for disclosures made to “service providers,” defined to include entities that collect, maintain, process, store or otherwise handle covered information on behalf of a covered entity, to the extent that the service provider has agreed to limit its use or disclosure of the information.
- All or Substantially All of an Individual’s Online Activity. Opt-in would further be required for the collection or disclosure of all or substantially all of an individual’s online activity. The draft bill provides an exemption, however, for individual managed preference profiles.
Procedures Required to Ensure Data Accuracy, Security, Integrity and Confidentiality.
The draft bill requires covered entities to establish reasonable procedures to ensure the accuracy of covered information they collect. The draft bill further mandates that both covered entities and service providers that collect covered information establish and maintain appropriate administrative, technical and physical safeguards to ensure the security, integrity and confidentiality of covered information; protect against anticipated threats or hazards to data security or integrity; and protect against unauthorized access to, and loss, misuse, alteration or destruction of, information. In a fundamental change from current privacy law, entities that are not directly regulated by the Gramm-Leach-Bliley Act (which generally applies to financial institutions) that are victims of privacy breaches would be exposed to potentially massive fines. The draft bill sets the standard high—where an entity faces a security breach, it must make “every reasonable attempt” to prevent further unauthorized access to the affected covered information and to restore reasonable data integrity.
Exemption for Aggregate or Anonymous Information.
The draft bill contains a provision stating it would not “prohibit a covered entity from collecting or disclosing aggregate information or covered information that has been rendered anonymous.” It is not entirely clear from the bill’s language how exactly covered entities can “render anonymous” the data they collect or whether they can engage an unaffiliated party to render data anonymous.
Carve-outs for Activities Covered by Other Federal Privacy Laws.
The draft bill provides that the law “shall have no effect on activities covered by”: Title V of the Gramm-Leach-Bliley Act (GLBA); the Fair Credit Reporting Act (FCRA); the Health Insurance Portability and Accountability Act of 1996 (HIPAA); Part C of title XI of the Social Security Act; the Communications Act of 1934; the Children’s Online Privacy Protection Act of 1998 (COPPA); and the CAN-SPAM Act of 2003. Given the breadth of activities potentially affected by the draft bill, it is not clear whether this language will be sufficient to protect entities from multiple layers of regulation under the various privacy laws.
Potential for Confusion over an Entity’s Status.
Since an entity’s obligations under the proposed bill can turn on whether it is considered a covered entity, a service provider or an unaffiliated party, one concern with the draft bill is how the status of entities that play more than one of these roles would be defined. As currently drafted, the bill seems unclear as to whether an entity could be considered a covered entity and, at the same time, also be considered a service provider and/or an unaffiliated party. Given the complexity of business relationships and the changing practices of data collection, use and disclosure, the lack of clear definitional direction seems likely to hinder the ability of companies to abide by the obligations imposed by the draft law without taking on excessive cost burdens.
Violations Enforceable by the Federal Trade Commission (FTC), State Attorneys General or State Consumer Protection Agencies.
The bill would be effective one year from the date of enactment, and enforcement actions could be brought by the FTC—which could seek civil penalties or fines—and state attorneys general or state consumer protection agencies—which could seek injunctive relief, damages, restitution or other compensation on behalf of state residents. Notably, the FTC would also be given broad rulemaking authority to create further obligations for businesses. Further, the draft bill would preempt any state or local laws that include requirements for the collection, use or disclosure of covered information. The draft bill explicitly provides that it would not create a private right of action relating to any act or practice within the scope of the law.
THE PATH FORWARD
Reps. Boucher and Stearns are seeking public comments on this draft legislation by June 4, and it seems likely a modified version of the bill will be introduced later this session of Congress. It is also possible that a hearing may be held in the House Energy and Commerce Committee on the legislation, but it seems highly unlikely that the bill will see any substantive action in committee this session. While prospects for future action on this draft legislation are unclear, the product developed this year remains important because this draft bill will likely serve as the basis for privacy legislation considered in the 112thCongress.
|Daniel F. McInnis
|James. R. Tucker Jr.
|Jo-Ellyn Sakowitz Klein
|Paul G. Scolese