Circling closer to a federal privacy law, Congress has introduced 7 privacy bills this year

Congress has stated its intention to pass a federal privacy law. For more than a year following Facebook’s Cambridge Analytica controversy, various committees within the House of Representatives and the Senate have held hearings to figure out the composition of a comprehensive federal privacy law.

Members of Congress have introduced several privacy bills this year that aim to regulate companies’ collection and/or use of people’s personal information (privacy bills introduced last year, such as the CONSENT Act, never passed into law and died when Congress reset after last year’s mid-term elections). None of these bills introduced this year have yet to be put to a vote, and if previous efforts are any indication, none are likely to pass into law. However, taken together they paint a picture of what a federal privacy law would likely cover, especially if Congress were to cherry-pick their various provisions and combine them into an omnibus bill. They also indicate Congress members’ differing stances on what a federal privacy law should require of companies. Those latter complications could require Congress to compromise on a federal privacy law’s scope in order to ensure its passage into law, especially if Congress intends to try to pass a federal privacy law before California’s privacy law takes effect in January 2020.

Based on the bills, members of Congress appear to agree that companies need to provide people with better insight into and control over the information that companies collect from them and share with others, in response to Facebook’s Cambridge Analytica scandal. They also appear to agree that the Federal Trade Commission should be responsible for enforcing any federal privacy law. However, they don’t see eye to eye on everything, such as whether consent should be opt-in or opt-out, what qualifies as personal information and whether or not a federal privacy law should preempt states’ own privacy laws, which may be more stringent than a national law but present companies with a compliance nightmare.

Social Media Privacy Protection and Consumer Rights Act of 2019, introduced by Democratic Sen. Amy Klobuchar on January 17, 2019
While introduced early into the current legislative session, this bill appears to be a model for what a bipartisan privacy law might look like.

The bill would require companies to provide an option for people to request to see the personal information a company has collected on them and with whom that information has been shared. Companies would also have to allow people to opt out of the collection and use of their personal information. Those provisions can be found in almost all of the other privacy bills that have been introduced, though not all are opt-out by default like this one.

However, the bill is notable for how it allows companies to deal with people who opt out of data collection and usage. If a person does opt out and opting out would make a companies’ services inoperable, a company would have the right to deny certain services or complete access to that person, according to the bill.

What is considered personal information?: This bill would cover standard categories of people’s personal information, like people’s Social Security numbers, as well as people’s email addresses, telephone numbers, the contents of their messages and information regarding their location.
What types of companies would be affected?: Any website, app, social network, search engine, mobile operating system, email service or internet provider.
Who would be responsible for enforcement?: The FTC, though states’ attorneys general would also be given the right to enforce the law within their states.
Would it preempt states’ privacy laws?: The bill doesn’t say.

Information Transparency & Personal Data Control Act, introduced by Democratic Rep. Suzan DelBene on April 1, 2019
This bill is among the more stringent and specific privacy laws introduced this year. Notably, it would require companies to get people’s opt-in consent before a company could collect, store, process, sell or otherwise share certain types of personal information that the bill defines as sensitive.

As with the Social Media Privacy Protection and Consumer Rights Act of 2019, this bill would require companies to provide an option for people to request to see the personal information a company has collected on them and with whom that information has been shared, and companies would have to provide people with an explanation for why their personal information was shared. For any non-sensitive personal information, companies would need to provide people with an option to opt out of that undefined non-sensitive information being collected, stored, process, sold or otherwise shared.

Since the bill would exempt any sensitive personal information that has been de-identified, it may not be so onerous for the advertising industry, which often relies on anonymized information.
What is considered personal information?: The bill delineates between “sensitive” personal information and “non-sensitive” personal information, though it unhelpfully doesn’t define the latter. Sensitive personal information would include standard categories, like people’s Social Security numbers, as well as their web browsing and app usage histories and their precise geolocation information. However, if a piece of sensitive personal information has been de-identified or is publicly available, it would no longer be covered.
What types of companies would be affected?: Any company that collects, stores, processes, sells or shares personal information from people in the U.S. However companies dealing with information on 5,000 or fewer people would be exempt.
Who would be responsible for enforcement?: The FTC.
Would it preempt states’ privacy laws?: Yes.

Algorithmic Accountability Act of 2019, introduced by Democratic Sen. Ron Wyden and Democratic Rep. Yvette Clarke on April 10, 2019
Technically these are two separate bills — one introduced in the House and the other in the Senate — but the text of each bill is identical. The bills do not seek to be comprehensive federal privacy laws. Instead, they would seem to supplement states’ own privacy laws as well any potential federal privacy law by taking aim specifically at the algorithms that process people’s personal information.

The bills would require that companies be able to break down how their algorithms work and evaluate how their algorithms use of people’s personal information may affect their privacy. What specific regulations companies would have to comply with would be left for the FTC to determine.
What is considered personal information?: This bill defines personal information as information that can be “reasonably” linked to a specific person or device.
What types of companies would be affected?: Any company that either made more than $50 million in average annual gross revenue over the most recent three years, has personal information on more than 1 billion people or devices, makes money off that information by either selling it, trading it or allowing outside companies to access it or is owned by a company that met the revenue or personal information criteria.
Who would be responsible for enforcement?: The FTC.
Would it preempt states’ privacy laws?: No.

Balancing the Rights of Web Surfers Equally and Responsibly Act of 2019, introduced by Republican Sen. Marsha Blackburn on April 10, 2019

This bill offers a glimpse at how Republicans, which have a majority in the Senate but a minority in the House, are looking at privacy regulation. The bill resembles Democratic Rep. DelBene’s Information Transparency & Personal Data Control Act in its stricter parameters for companies. Like DelBene’s bill, Blackburn’s bill would require companies to get people’s opt-in consent before they can use or provide other companies with access to certain categories of personal information. Blackburn’s bill goes a bit further in its rigidity by barring companies from refusing to allow a person to use their services because that person would not consent to providing a company with their sensitive personal information.

However, there could be loopholes in this bill. The bill contains a broadly defined exemption for companies to use people’s sensitive personal information without opt-in consent if that information is considered necessary for a company to provide a service to the person. Additionally, the bill states that companies would need to provide an opt-out mechanism for their use of people’s non-sensitive personal information. However, the language describing that “opt-out approval” mechanism confusingly suggests that people would use it to give companies permission to use and share their non-sensitive personal information.
What is considered personal information?: This bill also delineates between “sensitive” and “non-sensitive” information. Sensitive information would include standard information like people’s Social Security numbers as well as the contents of people’s messages, their web browsing and app usage histories and their precise geolocation information. The bill defines non-sensitive information as “any user information that is not sensitive user information.”
What types of companies would be affected?: Internet providers, sites or apps that require people to register accounts, sites or apps that sell a service to people and search engines.
Who would be responsible for enforcement?: The FTC.
Would it preempt states’ privacy laws?: Yes.

Privacy Bill of Rights Act introduced by Democratic Sen. Edward Markey on April 11, 2019
This bill would be a doozy for businesses if it passed into law. Combining GDPR’s opt-in consent requirement with the California privacy law’s broad definition of personal information, it appears to present the worst-case scenario for companies and the most sweeping privacy protections for people.

Companies would have to get people’s opt-in consent before collecting, using, storing, sharing or selling people’s personal information. Companies would also need to provide people with options to access the information that a company has collected about them as well as to correct, delete or transfer that information.
What is considered personal information?: Like California’s privacy law, this bill takes a broad definition of personal information to include unique personal identifiers, IP addresses, email addresses, purchase histories, browsing and search histories, interactions with a site, app or ad that is specific to an individual; and any inferences drawn from any of this information.
What types of companies would be affected?: Anyone (everyone?) that collects or otherwise gets access to people’s personal information.
Who would be responsible for enforcement?: The FTC, though states’ attorneys general would also be able to enforce it and individuals would be able to sue companies for violating this law.
Would it preempt states’ privacy laws?: Yes.

Do Not Track Act, introduced by Republican Sen. Josh Hawley on May 21, 2019

This bill takes aim at targeted advertising. It would effectively disable behaviorally targeted online advertising by default, though it would exempt ads contextually targeted based on a site’s or app’s content or ads targeted based on the search terms that led people to a site or app.

The bill would require the resurrection of an online Do Not Track mechanism, which browsers had previously adopted and just about everyone came to ignore. The FTC would be charged with developing that DNT system for people to use to request that sites and apps not track them. When enabled, this system would, by default, ask sites and apps not to track people, but people would be able to specify individual sites and apps that would still be allowed to track them.

Sites and apps would have to check for people’s tracking preferences and provide people that request not to be tracked with the same services and products as those that enable tracking. If the DNT signal is sent, they would not be able to use any information collected from a person to target them with ads or to share that information with another company without that person giving their permission for the company to share that information with that specific other company. If there is no DNT signal sent, then a site or app would have to notify a person that the DNT system is available.
What is considered personal information?: This bill would cover any information that a site or app collects that is not necessary to operate the site or app, though even information necessary for the operation of a site or app would be covered if used to target people with ads.
What types of companies would be affected?: Any company that operates a website or app for profit.
Who would be responsible for enforcement?: The FTC, though states’ attorneys general would also be able to enforce it.
Would it preempt states’ privacy laws?: The bill doesn’t say.

Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data Act, introduced by Democratic Sen. Mark Warner and Republican Sen. Josh Hawley on June 24, 2019
This is another bill that would appear to serve more of a supplementary — and potentially foundational — role for any federal privacy law. The bill includes the table-stakes requirements for companies to give the people the option to request that a company delete the information it has collected from them and to disclose to people how the company uses that information.

What makes this bill unique is its requirement that companies catalog the types of information that they collect from people and then to assess the financial value of that information. At least once a quarter, a company would have to provide each person that uses its service with a report detailing the information it has collected from that user, how it has used that information and the financial value of that individual user’s information. Additionally, once a year companies would have to file a report with the Securities and Exchange Commission that states the aggregate financial value of the company’s user information as well as the financial value of its data collection contracts with third-party companies. The SEC would be charged with coming up with the methodology for companies to use when assessing the financial value of the information they collect from people.

These reports itemized the financial value of companies’ user information would be helpful for a couple of reasons. First, they could be used to determine penalties for companies that have violated people’s privacy in connection to the information they collect. Second, knowing the financial value of this information could come into play if a federal privacy law were to allow a company to provide people with some sort of discount for providing their information or, for people who opt not to provide their information, to charge those people for access the company’s service.
What is considered personal information?: Instead of specifically covering people’s personal information, the bill would cover any information that can be associated with an individual, whether that information was provided by the individual or inferred by the company based on a person’s use of the company’s service.
What types of companies would be affected?: Any company that “generates a material amount of revenue” from use, sale or sharing of people’s information and that operates a service with more than 100 million monthly active users in the U.S.
Who would be responsible for enforcement?: The FTC would be charged with enforcing that companies provide people with the data deletion and disclosure options as well as the quarterly reports for individuals. The SEC would be charged with enforcing companies’ annual disclosures of the information’s financial value.
Would it preempt states’ privacy laws?: The bill doesn’t say.

https://digiday.com/?p=338904

More in Marketing

Marketing Briefing: Marketers test retail media even more as the third-party cookie crumbles

For marketers who weren’t as keen to spend on retail media networks previously, the first-party data pitch of retail media networks is now more appealing.

Ad execs enter crucial phase of Google’s Privacy Sandbox experimentation

Ad execs are diving into three major areas of the Privacy Sandbox without tweaking a thing. It’s all about tracking outcomes for them.

Special report: The third-party cookie primer

A catch-up on all things third-party cookies.