Ever since the Facebook/Cambridge Analytica story broke, privacy has been the talk of the town in Washington, DC, and conventional wisdom is that Congress will begin debating comprehensive privacy legislation in earnest in 2019. In preparation, members of Congress are starting to drop their message bills and discussion drafts. We offer our initial take here.
In the Senate
CONSENT Act (S. 2639)
Senators Markey and Blumenthal began the federal privacy debate by introducing the CONSENT Act almost immediately following Facebook/Cambridge Analytica. The bill was a shot across the bow — a clear statement that we need federal privacy legislation. And, it has some good ideas: It gives rulemaking authority to the Federal Trade Commission (FTC). It requires meaningful notice to consumers when their personal information is collected, used, or shared, and it requires strong de-identification safeguards and reasonable data security practices. It also, as its title suggests, requires informed, opt-in consent before data are used, shared, or sold.
Unfortunately, glaringly missing is any required opt-in consent before data are collected. Moreover, many of the bill’s protections apply only to so-called “sensitive” information, preserving the dated and nonsensical sensitive/non-sensitive distinction, which provides heightened protections for information like first and last name, social security numbers, bank account numbers, health status, etc., and lesser protections to other information even though that other information can be aggregated to reveal sensitive information and is often used as a proxy for sensitive information. Furthermore, the bill only requires notification of a data breach when “harm is reasonably likely to occur,” allowing the entity that has already failed to sufficiently protect personal information to determine, in its sole discretion — when it has every financial incentive to keep a data breach secret — whether or not consumers have been or will be harmed and thus whether or not consumers should be informed of the breach.
Senators Markey and Blumenthal have rightly recognized that the CONSENT Act is merely the start to a conversation and that other privacy protections will be necessary. Both members continue to innovate and develop other privacy bills, like Sen. Markey’s Do Not Track Kids Act, that they hope will become pieces of a future comprehensive privacy bill.
Social Media Privacy Protection and Consumer Rights Act (S. 2728)
On the heels of the CONSENT Act, Senators Klobuchar and Kennedy introduced the Social Media Privacy Protection and Consumer Rights Act of 2018 in April of 2018. This bill would do little to change the status quo. Senators Klobuchar and Kennedy basically just require online platforms to have terms of service (something platforms already do) that “follow[]…best practices appropriate to the subject and intended audience.” The bill neglects to include any instructions about what those “best practices” should look like, and if they follow current industry “best practices,” terms of service are likely to continue to be impenetrable to the average consumer. The bill also provides some ability to opt out of data collection and use. Of course, the devil is in the details, and the bill doesn’t provide any and does not authorize the FTC to spell out the details. Finally, the bill requires online platforms to “establish or maintain…privacy or security program[s]” (emphasis mine), notwithstanding the fact that privacy and security are different, and both are necessary.
Consumer Data Protection Act
Following Klobuchar/Kennedy, there was a long lull in privacy bill introductions on the Senate side as members thought carefully about what proposals they wished to advance. Then, in early November, Senator Wyden posted a copy of his Consumer Data Protection Act on his website and invited public comment on the bill. (Seriously, you can submit comments here.) The part of the Wyden proposal that has gotten the most attention is that it requires corporate officers to certify annual data protection reports under pain of criminal penalties. But, the bill does much more than that. It expands the FTC’s unfair and deceptiveness authority to include “noneconomic impacts and those creating a significant risk of unjustified exposure of personal information,” and it creates a universal opt-out function (similar to the Do Not Call list) for the sharing, storage, and use of personal information. Importantly, the universal opt-out is retrospective, so companies are required to delete information they already have on a consumer who opts out.
Additionally, companies are required to query the list proactively, addressing the problem of “shadow profiles,” data brokers, and other data collection about individuals who have no relationship with a given company. The bill also helpfully creates a Bureau of Technology at the FTC and increases the FTC’s resources, and it requires that companies undertake data security measures. It provides users with access and correction rights and requires companies to turn over, upon request, a list of the specific third parties with whom they share consumer data. The bill provides the FTC with rulemaking authority and prevents companies from contracting out of the bill’s requirements.
Finally, the bill also requires risk assessments of automated decision systems. This is an area where the bill could go further. It requires these assessments only for “high-risk” automated decision systems, baking in a sensitive/non-sensitive distinction, and the required assessments need only be made public at the company’s discretion. Given past incidents of companies withholding information about security breaches and unauthorized third party access to consumer data, its is hard to trust that a company is going to voluntarily make an unfavorable assessment public. Requiring these assessments to be filed with the FTC or other agencies and shared publicly would provide the transparency and market information that consumers deserve. Finally, the bill is silent on data collection. So, if the bill becomes law, you can opt out all you want, but companies will still be able to collect anything they want to about you without your permission.
Data Care Act (S. 3744)
Rounding out the Senate proposals is Senator Schatz’s Data Care Act of 2018. The bill introduces the idea of a data fiduciary, imposing on online service providers similar duties of care, loyalty, and confidentiality that other professions with unique knowledge and power, like doctors and lawyers, already have. While Sen. Schatz’s proposal is innovative, creative, and an important addition to the debate, the fiduciary duties in his bill are not fully baked yet. The bill would only stop companies from using personal data for their own benefit at consumers’ expense when the data use will result in reasonably foreseeable, material physical or financial harm. This list of harms is woefully incomplete. Additionally, the bill only requires companies to notify users of data breaches when so-called sensitive data are breached. To put a finer point on it, under the bill, Facebook would not have had to notify users about Cambridge Analytica. Perhaps most easily fixable, the bill does not address how to handle conflicts between companies’ duties to their end users and their duties to their shareholders.
On the House Side
The House has gotten off to a slower start on legislative proposals, and, in fact, the most publicized proposal is not a legislative proposal. In October, Representative Khanna dropped his proposal for an Internet Bill of Rights. Many of the proposed rights are, well, the right ones, including the right to know what data are collected about you; the right to access those data; the right to opt into the collection and sharing of your data (I’d add use and retention here if I could); the right to delete your data, where context appropriate and with a fair process; the right to data security and to notification of a data breach; the right to data portability; and the right to be free from unfair discrimination based on your data. Of course, writing these rights into legislative text will be difficult, so there are many known unknowns. Rep. Khanna also goes beyond the four corners of privacy, proposing rights to net neutrality and to affordable broadband internet and multiple, competitive internet service providers, both ideas that Public Knowledge strongly supports, but that may not have a place in comprehensive privacy legislation.
Information Transparency & Personal Data Control Act (H.R. 6864)
The only privacy bill that has actually been introduced on the House side since Facebook/Cambridge Analytica spurred the current debate is Representative DelBene’s Information Transparency & Personal Data Control Act. In June, Rep. DelBene floated a discussion draft that we liked so much that we gave her office a favorable quote for her press release. Unfortunately, it appears that since this initial draft, Rep. DelBene has been convinced to significantly weaken the bill.
I continue to really like the heart of the legislation, which gives rulemaking authority to the FTC and comes as close as I’ve seen to articulating what meaningful notice might look like. Under the bill, privacy and data use policies must be concise and intelligible, clear and prominent in appearance, use clear and plain language, use “visualizations where appropriate to make complex information understandable by the ordinary user,” and provided free of charge. Unfortunately, the version that was officially introduced pretty much only provides safeguards for “sensitive” data, and the bill explicitly allows companies to contract out of all of the bill’s protections in their “terms of service, terms of use, [or] user agreements.” This means that, depending on how an entity crafts its terms of service, notwithstanding the legislation, consumers may not have any choice or control over their own data at all. Just in case that loophole isn’t big enough, the bill also permits any and all data collection, use, sharing, retention, etc. as long as it is “consistent with an operator’s relationship with users as understood by the reasonable user.” I’m fairly sure that most social media platforms will argue that reasonable users understand that their relationship consists of the platform showing them precisely targeted ads, and, well, they need more data to better target those ads. Rep. DelBene’s office has said they’re retooling the bill for the 116th Congress; we hope they patch some of the holes.
Secure and Protect Americans’ Data Act (H.R. 3896)
Representative Schakowsky has also been talking about her Secure and Protect Americans’ Data Act as part of the current privacy debate, although her bill predates the Facebook/Cambridge Analytica time marker. We’ve written at length about that bill here.
Bonus!
Commercial Privacy Bill of Rights Act of 2011 (S. 799) (2011)
In 2011, Senators McCain and Kerry introduced the Commercial Privacy Bill of Rights Act of 2011. That bill was rightly and roundly criticized by public interest groups and industry alike. So, why are we talking about it now? Some members of Congress on both sides of the aisle have started talking about the McCain/Kerry bill as a potential starting point for privacy legislation. Spoiler alert: The bill was a bad idea in 2011; it is a terrible idea now. The bill only covers a small subset of personally identifiable information, a list that looks a lot like today’s lists of purportedly sensitive information — but then, the bill also contains a sensitive/non-sensitive distinction on top of that narrow definition. You read that right: The bill doesn’t even offer all of its protections for all of the information in its narrow list of personally identifiable information. Then the bill straight up exempts data use for research and development, for marketing and advertising by first parties and third parties, for collecting metrics about a website, and for uses based on the user’s reasonable expectations when he or she established his or her account — or if the practice isn’t a material change from what the user expected. Precisely what can’t a company do with consumer data under this bill? I’m not sure.
The bill contains an opt-out clause, but it only permits individuals to opt out of unauthorized use of their data. Yes, you also read that right: Even if the use is unauthorized, and I’m not sure what would be unauthorized by the bill’s definitions, the company can do it by default unless a consumer opts out. There are limits on data collection…unless those data are collected for any number of reasons, including marketing and advertising…and research and development…and internal operations. The data retention limits are similarly meaningless. But, for good measure, the bill provides for a safe harbor (safe harbor from what?) and preempts more protective state laws, which means that if the bill were to become law, people in states with stronger state laws would lose rights and protections they have under state law.
Center for Democracy and Technology: Model Privacy Bill
One last bill for this blog post. Our friends over at CDT drafted their own model privacy bill. The bill does some interesting work imagining what sorts of data uses should be per se unfair under the FTC Act, advancing some protections that might be layered on top of the anticipated notice and consent regime. It also helpfully requires the FTC to promulgate rules defining and prohibiting unfair targeted advertising practices, including those practices that are likely to result in unlawful discrimination. Otherwise, the bill is disappointin.g The draft provides notice to consumers of what is done with their data, but consumers have no ability to consent or object — even where essential services, like broadband access, are concerned. Their only option is not to use a covered entity if they don’t like that entity’s policies, and that’s not always tenable. Moreover, where the bill does offer protections, often exceptions obviate the protections. For example, data collection, retention, use, sharing, etc. is allowed when it is “required to provide or add to the functionality of the product, service, or specific feature…”. Bets on advertising-supported platforms saying all data collection, retention, use, and sharing adds to the functionality of their sites? Similarly, companies need not delete or correct personal information when retention of the original personal information is required to “complete a contract.” In fact, the bill goes further: It makes clear that it would not preempt any “contract.” Terms of service are legally considered to be contracts. That means that if a covered entity writes into its terms of service that it does not comply with this bill (if it were law), it need not comply with the bill. Just in case that’s not enough for companies, the draft preempts state laws. This is industry’s number one ask in any privacy legislation, and any public interest organization proposing it is just negotiating against itself — once a bill includes preemption, any future negotiations will only weaken the bill’s substantive protections. Conclusion Our bottom line? There are a lot of interesting proposals out there, some of which include ideas that should be included in any comprehensive privacy legislation. But, there’s still a ton of work to be done to craft proposals that truly meet consumers’ needs. And, you can help. Tell your members of Congress to prioritize meaningful, comprehensive consumer privacy legislation in 2019.
Originally written for Public Knowledge.