United States: Senior California Democrats Stake Out Privacy Position With Draft Federal Framework

Background

As the privacy debate heats up on Capitol Hill, Rep. Anna Eshoo (D-CA), a senior member of the House Energy and Commerce Committee, and Rep. Zoe Lofgren (D-CA), a senior member of the House Judiciary Committee—both of Silicon Valley—have teamed up to draft privacy legislation, the Online Privacy Act of 2019 (Act).  The pair recently shared their draft framework for the Act with stakeholders.  They have solicited feedback, which is due by July 12, 2019.

Akin Gump is working with clients to address issues raised by the framework.  Please reach out to one of the attorneys listed below if you are interested in joining this effort or obtaining additional information.

The Eshoo-Lofgren framework does not include a provision to preempt state laws like the expansive California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020.  As California Democrats, Reps. Eshoo and Lofgren were not expected to support preemption at this early stage, particularly in light of Speaker Nancy Pelosi’s (D-CA) public comments expressing skepticism about federal legislation that preempts protections provided by the CCPA.

The Eshoo-Lofgren draft is representative of the high standards California Democrats will demand if they are asked to support legislation that includes federal preemption of the CCPA. Additional federal privacy legislation is still expected from the Senate’s Gang of Six (Sens. Wicker (R-MS), Moran (R-KS), Thune (R-SD), Cantwell (D-WA), Schatz (D-HI) and Blumenthal (D-CT)) and with the Energy & Commerce Committee in the House.

Highlights

  • Does not preempt state privacy laws or outline the bill’s impact on other federal data laws, such as the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA).
  • Creates a new “U.S. Digital Privacy Agency” modeled after the Consumer Financial Protection Bureau.
  • Gives individuals the right, if technologically feasible, to opt out of personalized targeting, and covered entities must provide nonpersonalized versions of services.
  • Includes a private, right of action, by which individuals can seek injunctive relief for any violation of the Act, and a more expansive form of collective action whereby non-profits can bring cases on behalf of individuals, or at the request of states, and seek a range of recourses (including monetary damages and fees) for any violation of the Act.
  • Permits enforcement by state attorneys general (AGs), who may bring cases themselves or assign rights to bring cases to non-profits.
  • Grants individuals new rights, including the (1) right of access, (2) right of correction, (3) right of deletion, (4) right of portability (limited), (5) right to human review of automated decisions, (6) right to opt out of personalized content and (7) right to be informed.

Definitions

The draft framework’s definitions section will attract significant attention from industry stakeholders and privacy advocates.  The “covered entity” definition is broad.  It includes all entities that both process personal information and transmit information over “an electronic network.” The definition excludes service providers (e.g. ISPs), which are entities that do not control the selection or transformation of personal information and do not differentiate between personal information and other types of information.  Service providers are not required to comply with the section of the Act concerning individuals’ rights.  

The draft framework defines “personal information” to include any information that is linked or reasonably linkable to a specific individual.  Excluded from this definition is information an individual makes public, information derived from personal information that cannot be linked back to an individual and information “that has been obfuscated” in a manner the covered entity cannot reverse.  These exclusions appear to cover deidentified and aggregate information.   

Certain provisions of the draft framework would not apply to “small businesses,” defined as entities that do not earn revenue from the sale of personal information, earn less than half of their annual revenue from targeted advertising, have fewer than 500,000 users, have less than 200 employees or have less than $10 million in revenue.  The exemption for small businesses is limited to certain provisions of the Act only.  Certain rights, like the right to be informed or the limited right to human review of automated decisions, would apply to any covered entity.  

Title I: User Rights

The draft framework centers on core user rights, including rights to access, correction, deletion and portability.  Some of these rights are limited to situations that create, or increase, “privacy harms,” which is broadly defined to include a range of, among others, monetary, psychological or reputational harms.  The draft framework grants users the right to access all of their personal information and requires covered entities to inform users how their information has been disclosed (i.e., to which third parties) and why the information was collected or shared.

Users also have a right to correct or dispute inaccuracies in their personal information. This mirrors a right granted to data subjects under the European Union’s General Data Protection Regulation (GDPR).

The draft framework’s right to deletion potentially goes beyond that in the CCPA to the extent that it explicitly requires covered entities to delete personal information the entity collected or received, including from third parties.

Only covered entities that meet certain requirements are obligated to abide by the right to portability.  The draft framework proposes to establish an oversight Agency that would provide additional details on this issue.

Reflective of many privacy advocates’ concerns, the draft framework would allow users to request human review for any privacy-related action carried out through an automated process.  This right would be limited to situations where the decision at issue creates or increases significant privacy harms to the requesting user.

The draft framework also establishes the rights for consumers to opt-out of data collection used for targeted material.  It requires platforms to allow users the option to use a version of the service without personalized content.

There are several exemptions to user rights.  The draft framework’s user rights do not apply to personal information used for safeguarding against malicious activity, law enforcement purposes, legal obligations, public safety, preventing service abuses and uncovering cybersecurity events.

Covered entities are also free to deny user requests under Title I that if they cannot confirm a user’s identity, they are prohibited, by law, from complying or denying the requests necessary to protect a right or privilege, the request would limit free expression or pose a safety risk or if the information is necessary for a transaction or contract and was collected solely for that purpose.

Finally, Title I does not apply to deidentified data that cannot be reidentified using data stored by the covered entity.  

Title II: Privacy and Security Requirements

The draft framework contains a provision on data minimization, which establishes that the collection, processing or storage of personal information must be conducted for a legitimate business purpose and account for possible privacy harms.  It further proscribes notice requirements for collecting information that is concise, clear and meets metrics to be established by the new Agency.  Covered entities must obtain consent from users for each category of a third party which they intend to send user data to. 

Title II of the draft framework establishes several prohibitions on the disclosure of personal information, including disclosing user information to entities outside of the jurisdiction of the U.S., selling user information without obtaining consent for each transaction (this does not apply to lead generating and aggregation services requested by user) or including personal information in advertisement disclosures allowing for its connection to past or future disclosures.

Consent is not required for deidentified personal information if the data has been deidentified using best practices, and where disclosure is limited to the narrowest possible scope for the intended benefits.

The draft framework includes information security provisions that require reasonable security, mandate a range of precautionary measures (e.g., adopt an incident response plan) and obligate covered entities to provide quicker and more wide-ranging notice following data breaches.  Covered entities experiencing a data breach would have to disclose to the data protection agency and the other entities affected within 72 hours.  Entities would be required to notify individual consumers of a breach within 14 days.  The event must be disclosed to users within 72 hours if it would be likely to lead to additional privacy harms.

The draft framework’s focus on information security, as well as privacy, may mark a new drive to handle these issues in a single piece of legislation.  Information security has not been a primary focus of Senate efforts to draft privacy legislation, with some lawmakers discussing the need to tackle data security in a separate bill.  Rep. Schakowsky (D-IL) has also discussed the possibility of bundling competition and data protection provisions together in a bill.

Title III: Digital Privacy Agency

The draft framework notably proposes that a new agency be created to enforce a federal privacy standard.  This perspective deviates from recent calls for increased enforcement authority and resources for the Federal Trade Commission (FTC) to penalize companies for privacy violations.

The proposed U.S. Digital Privacy Agency (Agency) would be comparable to the Consumer Financial Protection Bureau (CFPB) and would be authorized for $200 million with around 1,600 staff members.  The staff allotted in the draft framework is significantly higher than current staff devoted to working on similar issues at the FTC, which has consistently received criticism for its lack of full-time staff devoted to privacy and data security.

The Agency would be led by a presidentially appointed Director, who would serve a term of five years.  A Deputy Director would also be appointed, and the Agency would contain a principal office, along with several field offices. Congressional oversight of the Agency would be conducted by the House Energy and Commerce Committee and the Senate Commerce, Science, and Transportation Committee.

Title IV: Enforcement

The draft framework grants the new Agency the authority to conduct investigations, hold hearings and adjudication proceedings, and impose civil monetary penalties for violations of the law. It also allows the Agency to grant other forms of relief, including notification of the violation to the public, payment of damages, restitution, reformation of contracts, and disgorgement.

Enforcement would be shared with state AGs, who could bring cases or assign non-profits to bring cases on behalf of their citizens.  The Agency would be able to take over any case from a state AG.

Finally, the draft framework contemplates civil enforcement by both individuals and non-profits to seek recourse for any violation of the Act.  The CCPA’s private right of action, in contrast, is currently limited to the data breach context.  Individuals would only be able to seek declaratory or injunctive relief.  Non-profits acting on behalf of individuals, however, may be able to seek additional recourse, including damages and fees.

The issue of whether and the extent to which to include a private right of action in federal privacy legislation recently prompted a clash between lawmakers in the Senate Gang Six’s privacy working group.  We expect this issue to continue to be hotly contested.  

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions