U.S. Federal Law Tracker

    U.S. Federal Law Tracker

    As the saying goes, “a rising tide lifts all ships,” so too is it true that the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Protection Act (CCPA) are seemingly lifting the status of a comprehensive federal privacy law in the United States. Privacy law in the United States—often is described as a “patchwork”—seems poised for a major overhaul.

     

     

    Last Updated: June 10, 2019


  • Legislation Tracker

     

     

    #

    Title

    Sponsor

    Date latest Action

    Latest Action

    S-182
    A bill to protect integrity, fairness, and objectivity in decisions regarding access to classified information, and for other purposes.
    Sen. Warner, Mark R. [D-VA] and 1 other sponsors.
    5/22/19
    2019-05-22 Placed on Senate Legislative Calendar under General Orders. Calendar No. 97.
    HR-2768
    To amend the General Education Provisions Act to allow the release of education records to facilitate the award of a recognized postsecondary credential.
    Rep. Stefanik, Elise M. [R-NY-21] and 2 other sponsors.
    5/15/19
    Referred to the House Committee on Education and Labor. 2019-05-15
    HR-1079
    Creating Advanced Streamlined Electronic Services for Constituents Act of 2019
    Rep. Graves, Garret [R-LA-6] and 3 other sponsors.
    5/15/19
    2019-02-11 Read twice and referred to the Committee on Homeland Security and Governmental Affairs.
    S-211
    SURVIVE Act
    Sen. Udall, Tom [D-NM] and 14 other sponsors.
    5/13/19
    2019-03-25 Referred to the Subcommittee on Crime, Terrorism, and Homeland Security.
    HR-2593
    To require the Secretary of the Treasury to collect data and issue a report on the opportunity zone tax incentives enacted by the 2017 tax reform legislation, and for other purposes.
    Rep. Kelly, Mike [R-PA-16] and 2 other sponsors.
    5/8/19
    Read twice and referred to the Committee on Finance. 2019-05-07
    S-1338
    A bill to amend the Higher Education Act of 1965 to direct the Secretary of Education to issue guidance and recommendations for institutions of higher education on removing criminal and juvenile justice questions from their application for admissions process.
    Sen. Durbin, Richard J. [D-IL] and 17 other sponsors.
    5/7/19
    2019-05-07 Referred to the House Committee on Education and Labor.
    S-1344
    A bill to require the Secretary of the Treasury to collect data and issue a report on the opportunity zone tax incentives enacted by the 2017 tax reform legislation, and for other purposes.
    Sen. Scott, Tim [R-SC] and 3 other sponsors.
    5/7/19
    2019-05-07 Read twice and referred to the Committee on Finance.
    HR-2563
    Beyond the Box for Higher Education Act of 2019
    Rep. Richmond, Cedric L. [D-LA-2] and 1 other sponsors.
    5/7/19
    Read twice and referred to the Committee on Health, Education, Labor, and Pensions. 2019-05-07
    HR-2521
    Moving Americans Privacy Protection Act
    Rep. Waltz, Michael [R-FL-6] and 2 other sponsors.
    5/3/19
    2019-05-03 Referred to the House Committee on Ways and Means.
    S-1302
    A bill to amend the Tariff Act of 1930 to protect personally identifiable information, and for other purposes.
    Sen. Daines, Steve [R-MT] and 4 other sponsors.
    5/2/19
    2019-05-02 Read twice and referred to the Committee on Finance.
    HR-2324
    To amend the Equal Credit Opportunity Act to require creditors to request demographic information from applicants for certain types of credit in order to prevent discriminatory lending practices with respect to those applicants, and for other purposes.
    Rep. Garcia, Jesus G. “Chuy” [D-IL-4]
    4/15/19
    2019-04-11 Read twice and referred to the Committee on Banking, Housing, and Urban Affairs.
    S-1205
    Protections in Consumer Lending Act
    Sen. Gillibrand, Kirsten E. [D-NY] and 3 other sponsors.
    4/15/19
    Referred to the House Committee on Financial Services. 2019-04-15
    S-1204
    Higher Education Mental Health Act of 2019
    Sen. Casey, Robert P., Jr. [D-PA] and 5 other sponsors.
    4/11/19
    2019-04-11 Read twice and referred to the Committee on Health, Education, Labor, and Pensions.
    HR-2155
    Genetic Information Privacy Act of 2019
    Rep. Rush, Bobby L. [D-IL-1]
    4/9/19
    2019-04-09 Referred to the House Committee on Energy and Commerce.
    HR-2188
    Department of Education Accountability and Whistleblower Protection Act
    Rep. Rooney, Francis [R-FL-19] and 1 other sponsors.
    4/9/19
    Referred to the Committee on Education and Labor, and in addition to the Committee on Oversight and Reform, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned. 2019-04-09
    HR-1957
    Taxpayer First Act of 2019
    Rep. Lewis, John [D-GA-5] and 28 other sponsors.
    4/9/19
    2019-04-09 Read twice and referred to the Committee on Finance.
    S-1010
    A bill to amend title 18, United States Code, to establish criminal liability for negligent executive officers of major corporations, and for other purposes.
    Sen. Warren, Elizabeth [D-MA]
    4/3/19
    2019-04-03 Read twice and referred to the Committee on the Judiciary.
    S-1012
    Protecting Jessica Grubb’s Legacy Act
    Sen. Manchin, Joe, III [D-WV] and 12 other sponsors.
    4/3/19
    Read twice and referred to the Committee on Health, Education, Labor, and Pensions. 2019-04-03
    S-992
    Dignity Act
    Sen. Booker, Cory A. [D-NJ] and 3 other sponsors.
    4/2/19
    2019-04-02 Referred to the House Committee on the Judiciary.
    S-151
    A bill to deter criminal robocall violations and improve enforcement of section 227(b) of the Communications Act of 1934, and for other purposes.
    Sen. Thune, John [R-SD] and 84 other sponsors.
    4/1/19
    2019-04-01 Referred to the House Committee on Energy and Commerce.
    HR-2015
    To deter criminal robocall violations and improve enforcement of section 227(b) of the Communications Act of 1934, and for other purposes.
    Rep. Brindisi, Anthony [D-NY-22] and 39 other sponsors.
    4/1/19
    Referred to the House Committee on Energy and Commerce. 2019-05-24
    HR-1998
    Protect DREAMer Confidentiality Act of 2019
    Rep. Torres, Norma J. [D-CA-35] and 6 other sponsors.
    3/29/19
    Read twice and referred to the Committee on the Judiciary. 2019-01-22
    S-936
    Ending Mass Collection of Americans’ Phone Records Act of 2019
    Sen. Paul, Rand [R-KY] and 1 other sponsors.
    3/28/19
    Read twice and referred to the Committee on the Judiciary. 2019-03-28
    S-928
    A bill to amend the Internal Revenue Code of 1986 to modernize and improve the Internal Revenue Service, and for other purposes.
    Sen. Grassley, Chuck [R-IA] and 2 other sponsors.
    3/28/19
    Read twice and referred to the Committee on Finance. (Sponsor introductory remarks on measure: CR S2091) 2019-03-28
    S-890
    A bill to authorize the Sergeant at Arms to protect the personal technology devices and accounts of Senators and covered employees from cyber attacks and hostile information collection activities, and for other purposes.
    Sen. Wyden, Ron [D-OR] and 5 other sponsors.
    3/27/19
    2019-03-27 Read twice and referred to the Committee on Rules and Administration.
    S-893
    Secure 5G and Beyond Act of 2019
    Sen. Cornyn, John [R-TX] and 10 other sponsors.
    3/27/19
    2019-03-27 Read twice and referred to the Committee on Commerce, Science, and Transportation.
    HR-1351
    SURVIVE Act
    Rep. O’Halleran, Tom [D-AZ-1] and 14 other sponsors.
    3/25/19
    2019-03-25 Referred to the Subcommittee on Crime, Terrorism, and Homeland Security.
    HR-1025
    UIGHUR Act of 2019
    Rep. Sherman, Brad [D-CA-30] and 29 other sponsors.
    3/22/19
    Referred to the Subcommittee on Immigration and Citizenship. 2019-03-22
    S-806
    Own Your Own Data Act
    Sen. Kennedy, John [R-LA]
    3/14/19
    2019-03-14 Read twice and referred to the Committee on Commerce, Science, and Transportation.
    S-847
    A bill to prohibit certain entities from using facial recognition technology to identify or track an end user without obtaining the affirmative consent of the end user, and for other purposes.
    Sen. Schatz, Brian [D-HI] and 1 other sponsors.
    3/14/19
    2019-03-14 Read twice and referred to the Committee on Commerce, Science, and Transportation.
    S-783
    Clean Slate for Kids Online Act of 2019
    Sen. Durbin, Richard J. [D-IL] and 4 other sponsors.
    3/13/19
    2019-03-13 Read twice and referred to the Committee on Commerce, Science, and Transportation. (text: CR S1849-1850)
    S-748
    A bill to amend the Children’s Online Privacy Protection Act of 1998 to strengthen protections relating to the online collection, use, and disclosure of personal information of children and minors, and for other purposes.
    Sen. Markey, Edward J. [D-MA] and 1 other sponsors.
    3/12/19
    Read twice and referred to the Committee on Commerce, Science, and Transportation. 2019-03-12
    HR-739
    To support United States international cyber diplomacy, and for other purposes.
    Rep. McCaul, Michael T. [R-TX-10] and 27 other sponsors.
    3/7/19
    2019-03-07 Committee Agreed to Seek Consideration Under Suspension of the Rules,.
    S-732
    AMBER Alert Nationwide Act of 2019
    Sen. Murkowski, Lisa [R-AK] and 1 other sponsors.
    3/7/19
    2019-03-07 Read twice and referred to the Committee on the Judiciary.
    HR-1602
    TRACED Act
    Rep. Kustoff, David [R-TN-8] and 1 other sponsors.
    3/7/19
    2019-03-07 Referred to the House Committee on Energy and Commerce.
    S-656
    SAFE Lending Act of 2019
    Sen. Harris, Kamala D. [D-CA] and 18 other sponsors.
    3/5/19
    Read twice and referred to the Committee on Banking, Housing, and Urban Affairs. 2019-03-05
    HR-1512
    To provide funds to give States incentives to invest in practices and technology designed to expedite voting at the polls and simplify voter registration, improve voting system security, and promote automatic voter registration, and for other purposes.
    Rep. Langevin, James R. [D-RI-2] and 2 other sponsors.
    3/5/19
    Referred to the House Committee on House Administration. 2019-03-05
    HR-677
    21st Century President Act
    Rep. Pocan, Mark [D-WI-2] and 39 other sponsors.
    3/4/19
    2019-03-04 Referred to the Subcommittee on Crime, Terrorism, and Homeland Security.
    S-618
    Medicare Choices Empowerment and Protection Act
    Sen. Cassidy, Bill [R-LA] and 3 other sponsors.
    2/28/19
    2019-02-28 Read twice and referred to the Committee on Finance.
    S-583
    A bill to provide for digital accountability and transparency.
    Sen. Cortez Masto, Catherine  [D-NV]
    2/27/19
    Read twice and referred to the Committee on Commerce, Science, and Transportation. 2019-02-27
    HR-1390
    To amend titles XVIII and XIX of the Social Security Act to promote the ability of individuals entitled to benefits under part A or enrolled under part B of the Medicare program and individuals enrolled under a State plan under the Medicaid program to access their personal medical claim data, including their providers, prescriptions, tests, and diagnoses, through a mobile health record application of the individual’s choosing, and for other purposes.
    Rep. Clarke, Yvette D. [D-NY-9] and 1 other sponsors.
    2/27/19
    Referred to the Committee on Energy and Commerce, and in addition to the Committee on Ways and Means, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned. 2019-02-27
    HR-1282
    Data Accountability and Trust Act
    Rep. Rush, Bobby L. [D-IL-1] and 2 other sponsors.
    2/14/19
    2019-02-14 Referred to the House Committee on Energy and Commerce.
    S-435
    A bill to require the Director of the Office of Management and Budget to issue guidance on electronic consent forms, and for other purposes.
    Sen. Carper, Thomas R. [D-DE] and 1 other sponsors.
    2/11/19
    2019-02-11 Read twice and referred to the Committee on Homeland Security and Governmental Affairs.
    S-314
    Modernizing the Trusted Workforce for the 21st Century Act of 2019
    Sen. Warner, Mark R. [D-VA]
    1/31/19
    Read twice and referred to the Select Committee on Intelligence. 2019-01-31
    HR-930
    To provide for the establishment of a national standard for incorporating a passive identification ability into all firearms sold in the United States, and to require the reporting of lost or stolen firearms to the appropriate law enforcement authorities.
    Rep. Velazquez, Nydia M. [D-NY-7]
    1/30/19
    2019-03-22 Referred to the Subcommittee on Crime, Terrorism, and Homeland Security.
    S-245
    Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019
    Sen. Warner, Mark R. [D-VA] and 1 other sponsors.
    1/28/19
    Read twice and referred to the Select Committee on Intelligence. 2019-01-28
    HR-648
    H.R. 648, Consolidated Appropriations Act, 2019
    Rep. Lowey, Nita M. [D-NY-17]
    1/28/19
    Read the second time. Placed on Senate Legislative Calendar under General Orders. Calendar No. 16. 2019-01-28
    S-227
    Savanna’s Act
    Sen. Murkowski, Lisa [R-AK] and 19 other sponsors.
    1/25/19
    2019-01-25 Read twice and referred to the Committee on Indian Affairs.
    S-197
    A bill to provide for the confidentiality of information submitted in requests for deferred action under the deferred action for childhood arrivals program, and for other purposes.
    Sen. Heinrich, Martin [D-NM] and 21 other sponsors.
    1/22/19
    Read twice and referred to the Committee on the Judiciary. 2019-01-22
    S-189
    Social Media Privacy Protection and Consumer Rights Act of 2019
    Sen. Klobuchar, Amy [D-MN] and 3 other sponsors.
    1/17/19
    2019-01-17 Read twice and referred to the Committee on Commerce, Science, and Transportation.
    S-182
    PRENDA
    Sen. Kennedy, John [R-LA] and 4 other sponsors.
    1/17/19
    2019-05-20 Referred to the Subcommittee on the Constitution, Civil Rights, and Civil Liberties.
    S-142
    A bill to impose privacy requirements on providers of internet services similar to the requirements imposed on Federal agencies under the Privacy Act of 1974.
    Sen. Rubio, Marco [R-FL]
    1/16/19
    Read twice and referred to the Committee on Commerce, Science, and Transportation. 2019-01-16
    HR-455
    Safe and Secure Federal Websites Act of 2019
    Rep. Fleischmann, Charles J. “Chuck” [R-TN-3]
    1/10/19
    2019-01-10 Referred to the House Committee on Oversight and Reform.
    HR-21
    Department of Housing and Urban Development Appropriations Act, 2019
    Rep. Lowey, Nita M. [D-NY-17]
    1/8/19
    Read the second time. Placed on Senate Legislative Calendar under General Orders. Calendar No. 5. 2019-01-08
    HR-120
    Police CAMERA Act of 2019
    Rep. Cohen, Steve [D-TN-9] and 22 other sponsors.
    1/3/19
    2019-01-03 Referred to the Subcommittee on Crime, Terrorism, and Homeland Security.

     

  • Rising Tide

    During the summer of 2018 the White House – in concert with the Commerce Department – has been working on a proposal to help web users protect their Personal Data. The aim is to draft a proposal with an initial set of ideas outlining both, the rights of web users, and the principles by which companies processing personal data would have to abide. A number of lawmakers, companies, and trade associations have also released draft bills or frameworks for a comprehensive privacy legislation.  These efforts are a breakthrough in the field of privacy and data protection at the federal level in the US.

    Amazon, Google (and its parent Alphabet), Facebook, Microsoft, and Apple have all released public statements over the past several months that advocate for a stronger federal privacy law in the United States. Tim Cook, in a speech in Brussels in October, said that Apple is “in full support of a comprehensive federal privacy law in the United States.” Cook set the stage by warning against the “data industrial complex”, adding further that our own data is “being weaponized against us with military efficiency.”

    AT&T, Google, Twitter, and Apple have all been working closely with lawmakers and the executive branch in the US to curb some legislative efforts on three crucial points: a) pre-empting efforts from local legislatures (e.g. arguing that  having many laws at a local level could create confusion); b) fostering privacy principles on their own terms (because they have enough lobbying resources); and, c) preventing a bill as stringent as the GDPR (e.g., certain companies view requirements such as the 72-hour breach notifications to be cumbersome and costly).

    On November 13, 2018, the National Telecommunications and Information Administration (NTIA), an agency of the United States Department of Commerce, released comments from its request for comments. The NTIA sought comments on a number of outcomes and high-level goals. The NTIA received more than 200 responses from individuals, industry, and civil society. To read more about the NTIA responses including trends and key takeaways, check out our detailed analysis here.

  • General

    Lawmakers, companies, and industry associations have been introducing their own versions of a comprehensive federal privacy legislation and/or frameworks for such legislation.

     

    (click chart to expand in new tab)

     

    BILLS

    BLUMENTHAL/MARKEY

    Senators Blumenthal (D-CT) and Markey (D-MA) introduced the “Customer Online Notification for Stopping Edge-provider Network Transgressions” or “CONSENT Act” on April 10th, 2018. The bill enhances the power and resources of the Federal Trade Commission in an effort to establish privacy protections for “customers of online edge providers.”

    Personally Identifiable Information

    The bill protects two kinds of information: “personally identifiable information” (PII) and “sensitive customer proprietary information.” Personally identifiable information is any information that is “linked or reasonable may be linked, to a specific individual or device.”

    The definition of Sensitive customer proprietary information includes: financial information, health information, information pertaining to children, Social Security numbers, precise geolocation information, content of communications, call detail information, web browsing history, application usage history, and the functional equivalents of either, and any other PII that the Commission determines to be sensitive.

    Who is covered?

    The bill applies to an “edge provider,” which is defined as a “person that provides an “edge service, but only to the extent to which the person provides that service.” An “edge service” means a “service that is provided over the Internet” (e.g. customer creates account, searches edge provider’s database, or customer divulges sensitive customer proprietary information) and :”any service that is provided through a software program or mobile application or over the Internet, directly or indirectly through a connected device.”

    The bill protects “customers,” which it defines as an individual who is a”customer of an edge provider; and user of edge service provided by an edge provider.”

    KLOBUCHAR

    Senators Klobuchar (D-MN) and Kennedy (R-LA) introduced the “Social Media Privacy Protection and Consumer Rights Act of 2018” on April 23, 2018. The bill aims to protect the privacy of users of social media and other online platforms. Despite the bill’s title, the bill actually has a wide scope in that it aims to protect the “personal data” of individuals interacting with any “covered online platform.”

    Personal Data

    The bill defines “personal data” as “individually identifiable information about an individual collected online.” The bill lists several examples such as location, e-mail address, telephone number, government identifier, geolocation information, the content of a message, protected health information, and nonpublic personal information. A plain reading of the definition of “personal data” and of “geolocation information” appears to be wide enough to also consider IP addresses, cookies, and device IDs as “personal data.”

    Who is covered?

    The bill applies to a “covered online platform” which is an  “online platform that collects personal data during the online behavior of a user of the online platform.” An “online platform” is any public-facing website, web application, or digital application (including a mobile application). Examples of an online platform include social networks, ad networks, mobile operating systems, search engines, email services, or an Internet access service.

    POE

    On July 31, 2018, Representative Poe introduced H.R. 1039, which is a resolution aiming to implement certain privacy rights for individuals.

    JOHNSON (DATA Act)

    Representative Johnson (D-GA) introduced the Data Broker Accountability and Transparency Act of 2018″ (DATA Act) on July 26, 2018. The bill requires data brokers to establish procedures to ensure the accuracy of collected personal information.

    Personal Information

    The bill defines “personal information” as “individual’s first name or initial and last name, or address, or phone number, in combination with any one or more of the following data elements for that individual: 1) Social Security number, 2) Government identification (e.g. driver’s license), or 3) Financial account number or credit or debit card number and any required security code or password that is necessary to permit access to the individual’s financial account.

    Who is covered?

    The bill applies to all data brokers except those that are specifically excepted by the Commission. A “data broker” is a “commercial entity that collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell the information or provide third-party access to the information.” The bill gives the FTC the ability except certain data broker that collect or process information from a nonaffiliated third party if that information is used to provide benefits to the third party’s employees or for the third party to directly transact with its customers.

    JOHNSON (APPS Act)

    Representative Johnson (D-GA), introduced the “Application Privacy, Protection, and Security Act of 2018” (APPS Act) on July 26, 2018. The bill’s stated purpose is to provide provider great transparency and control around data collected by mobile applications. 

    Personal Data

    The bill does not explicitly define “personal data,” but rather states that it will have the whatever meaning the Commission gives it, except that it will not include “de-identified data.” De-identified data is data that “cannot be used to identify or infer information about, or otherwise be linked to, a particular individual or mobile device, as determined with a reasonable level of justified confidence based on the available methods and technologies, the nature of the data at issue, and the purposes for which the data will be used.

    Who is covered?

    The draft APPS Act applies to the “developer of a mobile application.” As with “personal data”, “developer” is not explicitly defined, but rather the bill applies whatever meaning the FTC will give it. A “mobile application” is a software program that: “a) runs on the operating system of a mobile device; and b) collects data from a user.” A “mobile device” is a smartphone, tablet computer, or similar portable computing device that transmits data over a wireless connection.

    The draft APPS Act ostensibly protects a “user” of a mobile application, however, “user” is not defined.

    DELBENE

    On September 20, 2018, Congresswoman Deleben introduced the “Information Transparency & Personal Data Control Act of 2018.

    Sensitive Personal Information

    The bill protects two types of personal information, “sensitive personal information” and “call detail records.” “Sensitive personal information” is defined broadly and means “information relating to an identified or identifiable individual, including the following:

    • Financial information;
    • Health information;
    • Relationships;
    • Information pertaining to children under 13 years of age;
    • Social Security numbers;
    • Driver’s license or other government-issued ID number,
    • Authentication credentials, such as a username and password;
    • Precise geolocation information;
    • Content of communications;
    • Call detail records;
    • Web browsing history, application usage history, and the functional equivalent of either;
    • Biometric information;
    • Sexual orientation;
    • Political preferences;
    • Religious beliefs;
    • Any other personal or behavioral information that the Commission determines to be sensitive.

    “Call detail record” is defined as “session-identifying information (including an originating or terminating phone number, or a subscriber or mobile station equipment identifier), a calling card number or duration of a call. A “call detail record” does not include the “contents” (as explained below) of any communication,  the name, address, or financial information of a subscriber or customer, or the cell site or GPS information. The bill adopts the definition of “content” from the “Wire and Electronic Communications Interception and Interception of Oral Communication” (18 U.S.C. 119, §2510), which defines “contents” as “any wire, oral, or electronic communication, inlclud[ing] any information concerning the substance, purport, or meaning of that communication.”

    Who is covered?

    The bill regulates “operators” which is an entity:

    • “Who operates a website located on the internet or an online service and who collects or maintains personal information from or about individuals, or on whose behalf such information is collected or maintained.”

    Where such website or online service is operated for a commerical purpose, an “operator” will include:

    • any entity that buys and sells consumer data without direct consumer interaction; and
    • any entity offering products or services for sale through that website or online service, involving commerce among the States or with one or more foreign nations.

    WYDEN

    Senator Wyden (D-OR) released a discussion draft of his “Consumer Data Protection Act” on  November 1, 2018. The bill expands the scope and power of the FTC by broadening the definitions of key data collection and processing activities and authorizing the FTC to assess civil penalties of $50,000 per violation and 4% of the entity’s total annual gross.

    Personal Information

    The bill defines “any information, regardless of how the information is collected, inferred, or obtained that is reasonably linkable to a specific consumer or device.”

    Who is covered?

    The bill applies to “covered entities.” Covered entities include any person, partnership, or corporation that the FTC has jurisdiction over. Notably, the definition of covered entities excludes persons, partnerships, or corporations that satisfy all three of the following conditions: 1) have less than $50,000,000 in gross receipts for the 3 years preceding and have personal information on less than 1,000,000 consumers and 1,000,000 devices; 2) is/are not owned by anyone that does not meet the above requirement; 3) is not a data broker (meaning that a data broker by definition is a covered entity).

    INTEL

    On November 8, 2018, Intel released its draft privacy bill titled the “Innovative and Ethical Data Use Act of 2018.

    Personal Data

    The Intel draft bill defines “personal data” as “any information relating to an identified or identifiable natural person.” An “identifiable natural person” is one who “can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, biometric, mental, economic, cultural or social identity of that natural  person.”

    This definition of “personal data” seems to track almost exactly to that of the GDPR.

    Who is covered?

    Intel’s draft bill applies to “covered entities”, which includes:

    • any person over which the FTC has authority under the FTC act;
    • certain common carriers subject to the Communications Act of 1934;
    • certain 501(c) non-profit organizations;
    • organizations that are owned or controlled by a covered entity;
    • certain “third parties”

     Exclusions from the definition of a “covered entity”:

    • Those persons above (but not “third parties”) that have fewer than 15 employees and collect or utilize the personal data of fewer than 5,000 individuals; or
    • Those persons above (but not “third parties”) that offer which merely transmit, route, or connect the “digital person data” between or among covered entities, or to and from individuals whom the personal data relates.

    SHATZ

    On December 12, 2018, Senator Shatz (D-HI) along with 15 other Senators introduced the “Data Care Act of 2018” (DCA 2018). The bill imposes certain duties (e.g care, loyalty, and confidentiality) on “online service providers” with respect to their collection and handling of “individual identifying data.”

    Individual Identifying Data

    The bill defines “individual identifying data” as “any data” that is 1) “collected over the internet or any other digital network” and 2) is “liked, or reasonably linkable to a specific end user or computing device that is associated with or routinely used by an end user.”

    The bill also protects “sensitive data, ” whch is “any data” that includes:

    • Social Security Number
    • Personal information collected from a child
    • A government-issued ID (e.g. driver’s license number, passport, etc.)
    • Financial account number, credit card number, or any required security or access code necessary to permit access to a financial account
    • Unique biometric data (e.g. fingerprint, voice print, a retina or iris image, or any other unique physical representation)
    • Access credentials (e.g. username and password)
    • An individual’s name or other “unique identifier” in combination with the individual’s 1) date of birth; 2) mother’s maiden name; or 3) ” the past or present precise geolocation of the individual”;
    • Health-related data (e.g. past, present, or future health condition or the provision of healthcare);
    • The “nonpublic communications or other nonpublic user-created content of an individual.”

    Note that data that exists in physical or paper form may not necessarily be covered by the definition of “individually identifying data” but may be covered by the seemingly wider scope of “sensitive data.”

    Who is covered?

    The bill establishes requirements for an “online service provider” an “entity that is engaged in interstate commerce over the internet or any other digital network; and in the course of business, collects individual identifying data about end users, including in a manner that is incidental to the business conducted.”

    Rubio

    On January 16, 2019, Senator Rubio introduced bill S.142 (the “American Data Dissemination (ADD) Act of 2019”). The bill proposed privacy requirements on providers of internet services based on the requirements under the Privacy Act of 1974 for federal agencies. The bill aims to protect both the consumer privacy and  the innovative capabilities of the internet economy. Start-ups and small businesses are exempted under the bill.

    FRAMEWORKS / PRINCIPLES

    GOOGLE

    On September 23, 2018, Google released its proposed framework for a national data protection legislation in the United States.

    Data

    Google’s frameworks recommend that a national data protection law define “personal information” “flexibly to ensure the proper incentives and handling.” Adding further that each provision should clarify the types of information (e.g. aggregated, de-identified, psyedonomymous, or identified) each provision applies to.

    Who is covered?

    Google suggests the creation of entity concepts resembling “Controller” and “Processor” in the EU.

    U.S. CHAMBER OF COMMERCE

    On [date], The United States Chamber of Commerce released its recommendations for a comprehensive federal privacy law in the United States. The document is a high-level discussion of important principles to be considered in the development process of the national legislation.

    Data

    The U.S. Chamber of Commerce recommends privacy protections for “data” (or “consumer data”) but does not explicitly define data (or consumer data).

    Who is covered?

    The U.S. Chamber of Commerce principles are “industry neutral”, thus apply to all industry sectors that handle consumer data. The princples aim to protect consumers and individuals alike.

    INTERNET ASSOCIATION

    The Internet Association (IA) released its “Principles for a Modern National Regulatory Framework” on [date].

    Personal Information

    The IA principles recommend a framework for protecting the “personal information” of individuals. Personal information is defined as “any information capable of identifying a specific individual or a device that belongs to that individidual.”

    Who is covered?

    The IA principles are to be applied consistently “across all entities” to the extent they are not already regulated at the federal level.

     

    Business Roundtable

    On December 6, 2018, the Business Roundtable, a collection of over 200 organizations, proposed a framework for national data privacy.

  • Lawfulness, Fairness and Nondiscrimination

    BLUMENTHAL/MARKEY

    The draft CONSENT Act requires an edge provider to obtain “opt-in” consent from a customer to use, share, or sell the sensitive customer proprietary information of the customer. It is not clear whether an edge-provider is required to also obtain opt-in consent with respect to “personally identifiable information.”

    The bill does not address the collection or use of information (PII or sensitive customer information) of minors.

    KLOBUCHAR

    Under this bill, personal data of a user is collected and used by an operator by default. Before a user creates an account with, or otherwise begins to use a covered online platform, the operator of the online platform must inform the user that unless the user makes an election (“opt-in” or “opt-out”), personal data will be collected by the operator and used by the operator and third parties. The user must be provided the option to either:

    • 1) agree to the terms of service for using the online platform (including the collection and use of personal data) ; and
    • 2) prohibit the collection and use of personal data.

    If the user elects to prohibit the collection and use of personal data and such election “creates inoperability in the online platform, the operator” may deny certain services or completely deny access to the user. An operator must ensure that the user can withdraw consent as easily as it was given.

    Furthermore, an operator may not introduce a new product, or implement any material change to the privacy or security program of the online platform that overrides the privacy preferences of a user, unless the operator has, among other requirements, obtained “affirmative express consent” from the user.

    POE

    H.R.1039 requires data processors to have a legal basis for processing the data of users. Opt-in consent is a primary legal basis under the Resolution. The consent must be freely given, specific, informed, and unambiguous.

    JOHNSON (DATA Act)

    The non-binding findings in the preamble/recitals of the draft of the DATA Act recognize that requiring data brokers to provide an individual with fair information practices will increase fairness, improve privacy, promote economic growth, and limit identity theft and other criminal activity. To that end, the DATA act aims to impose certain obligations on data brokers with respect to the collection of an individual’s data from the individual to whom the data belongs. A data broker may not collect information about an individual by using a “false, fictitious, or fraudulent representation to any person.”  For example, a data broker that collects information from an individual to verify that individual’s identity may not use the information it collects for any other purpose than to verify the identity of the individual.

    JOHNSON (APPS Act)

    According to the APPS Act, before a mobile application collects personal data about a user, the developer must provide the user with notice of the terms and conditions governing the data and obtain the consent of the user to such terms. the notice must specify the categories of purposes for which the data will be used. The bill does not specify or give examples of purposes that developers may be able to rely on. notify about purposes for which data will be collected (but what are the purposes).

    The bill does not define the term “consent” or provide details on the form of consent a developer required is to obtain from a user (e.g. “opt-in”, “opt-out”, implicit, affirmative, etc.). A developer must provide the user with a means to:

    • notify the developer that the user intends to stop using the application and request the developer refrain from any further collection of personal data; and
    • At the option of the user, either:
      • 1) to the extent practicable, delete any personal data collected or stored; or
      • 2) refrain from any further use or sharing of such data.

    A developer must comply with such a request within a reasonable and appropriate time after receiving such a request.

    DELBENE

    An operator must provide the user with a privacy policy that states a user must provide “affirmative, express, and opt-in consent to any functionality that involves the collection, storage, processing, sale, sharing, or other use of sensitive personal information, including sharing personal data with third parties. For any collection, storage, processing, selling, sharing, or other use of non-sensitive personal information, including sharing with third parties, operators must provide users with the ability to opt out at any time.

    Exemptions

    Most of the requirements shall not apply to the processing, collecting, storing, share, selling of sensitive personal information for the following purposes:

    • Preventing or detecting fraud;
    • protecting the security of people, devices, networks, or facilities;
    • protecting the health, safety, rights, or property of the covered entity or another person;
    • responding in good faith to a valid legal process;
    • monitoring or enforcing agreements between the covered entity and an individual;

    An operator does not need to provide opt-in consent requirement to a user for processing of “sensitive personal information” or “behavioral data”, if such processing “does not deviate from purposes consistent with an operator’s relationship with users as understood by the reasonable user.”

    RUBIO

    WYDEN

    Under Senator Wyden’s proposed bill, the  FTC shall implement and maintain a “Do Not Track” data sharing opt-out website that allows consumers to opt-out of data sharing. This is designed to prevent covered entities from sharing the personal information of the consumer. A covered entity is bound by the consumer’s opt-out, but in certain circumstances, a covered entity may obtain a consumer’s opt-in consent that overrides the prior opt-out. In such circumstances where consent is required, the operator must provide clear and conspicuous notice to the user that the user may obtain the same service for a fee instead of sharing the user’s data with the covered entity. In such circumstances where consent is not required, an operator must provide clear and conspicuous notice that the consumer may refuse to provide consent but still obtain the product or service.

    INTEL

    For data that is likely to create significant privacy risk, a covered entity must provide explicit notice to an individual prior to the collection from that individual data that is likely to create significant privacy risk. A collection that requires explicit notice includes, but are not limited to geolocation data, biometric data, physical and mental health data, sexual life data (sexual activity, orientation, preference, and/or behavior), or genetic data.

    SHATZ

    According to the bill’s “Duty of Loyalty” an online service provider may not “use individual identifying data, or data derivced from individual identifying data, in any way that will 1) benefit the online service provider to the detriment of an end user; and 2) will result in “reasonably forseeable and material physical or financial harm to an end user” or 3) would be unexpected and highly offensrive to a reasonable end user.

    U.S. CHAMBER OF COMMERCE

    The U.S. Chamber of Commerce recognizes that the national privacy legislation requires a respect for individual privacy and choice.

    INTERNET ASSOCIATION

    The Internet Association principles aim to protect an individual’s personal information and foster trust by enabling individuals to understand their rights regarding how their personal informaiton is collected, used, and shared.

     

  • Transparency and Free Access

    this section is about transparancey

    BLUMENTHAL/MARKEY

    An edge provider is required to notify a customer about the collection, use, and sharing of sensitive customer proprietary information. The notice must specify:

    • types of sensitive customer proprietary information the provider collects;
    • how and for what purposes the edge provider uses and shares sensitive customer proprietary information; and
    • the types of entities with which the edge provider shares sensitive customer proprietary information.

    POE

    H.R.1039 allows an individual to know which entities have access to the data of the individual and how that data are being used. In addition, an individual is allowed to obtain and reuse the data of the individual for the purposes of the individual across other services.

    KLOBUCHAR

    An operator of an online platform must provide a user of the online platform with the terms of service for use of the online platform in a form that is :

        • easily accessible;
        • of reasonable length;
        • clearly distinguishable from other matters; and
        • uses language that is clear, concise, and well organized

    An operator of a covered online platform must offer a user of the online platform a copy of the personal data of the user that the operator has processed, free of charge, and in an electronic and easily accessible format. This copy must include a list of each person that received the personal data from the operator for businesses, whether through sale or other means.

    JOHNSON (DATA Act)

    A data broker must maintain a website and on it place a clear and conspicuous notice instructing an individual how:

    • to review his or her information;
    • to express a prefernce not have his or her information used for marketing purposes.

    Subject to certain exceptions, a data broker must provide an individual a means to review any personal information or other information that specifically identifies that individual, that the covered data broker collects, assembles, or maintains. The means for review must be provided at an individuals request, at no cost to the individual, and in a format that can be readily understood by a consumer.

    JOHNSON (APPS Act)

    Before a mobile application collects the personal information of a user of the application, the developer must provide the user with notice to the terms and conditions governing the collection, use, storage, and sharing of the personal data. The notice should include the following:

    • the categories of personal data that will be collected
    • the categories of purposes for which the personal data will be collected
    • the categories of third parties with which the personal data will be shared
    • a data retention policy that governs the length for which the personal data will be stored and the terms and conditions applicable to storage, including a description of the user’s right to withdraw consent.

    DELBENE

    The bill requires operators to provide users with an up-to-date, transparent privacy, security, and data use policy. The bill requires among other things that such a policy by concise and intelligible, clear and prominent and appearance, and be provided to users free of charge. The privacy policy must also include among other things, additional information for users such as the identity of the entity collecting the sensitive personal information, the purpose for such collection and/or use, the storage period for such information, and how users can view the sensitive personal information they have provided to an operator and whether it canbe exported other web-based platforms.

    WYDEN

    As part of the “Do Not Track” data sharing opt-out website, a user must be able opt-out of data sharing, view their opt-out status, and change their opt-out status. The website should be reasonably accessible and usable by consumers. When consent is not required, provide clear and conspicuous notice to the customer that he or she can obtain a substantially similar product or service in exchange for monetary payment or other compensation rather than by permitting the covered entity to share the consumer’s personal information.

    INTEL

    In accordance with the Openness principle, the Intel draft bill requires covered entities to provide individuals, government agencies and the public with information concerning its data practices regarding personal data. There are three kinds of notice that a covered entity must provide, “general”, “explicit”, and “complete”. A covered entity must ppublisha general notice in the form of a publicly available privacy policy,  generally articulating the processing practices of the covered entity. A covered entity must provide explicit notice where the personal data is likely to create “a significant privacy risk.” A covered entity must publish and make available a “complete notice” which includes a reasonably full description of the covered entity’s collection and processing of personal data.”

    A covered entity must provide an individual with a readily available means of promptly obtaining

    • confirmation of whether personal data concerning the individual is processed by the covered entity
    • descriptions concerning what specific personal data are processed by the covered entity
    • plain language explanations of the processing of the personal data concerning the individual, including any undertaken by a third-party;
    • reasonable access to the personal data and the ability to correct erroneous personal data;
    • supplementation of the personal data with additional information offered voluntarily by the individual to address data quality requirements as described in Section 4(b).
    • reasonable obscurity of personal data processed

    SHATZ

    There is no explicit reference to “transparency” or “free access” in the text of the bill, however,  these concepts may ostensibly be subsumed by the wide scope of the duties of care, loyalty, and confidentiality.

    GOOGLE

    Google’s framework requires organizations to be transparent about the types of data they collect, why they collect it, and how they use or disclose it. Additionally, at a high level, a national privacy law should mandate transparency and helping individuals be informed.

    U.S. CHAMBER OF COMMERCE

    According to the U.S. Chamber of Commerce’s principles, business should be transparent about the collection, use, and sharing of consumer data and provide consumers with clear privacy notices that businesses will honor.

    INTERNET ASSOCIATION

    The Internet Association’s proposed “Transparency” privacy principle recognizes that companies following a national privacy framework should provide individuals with information about how personal and information is share and the purposes for which is it is shared. Furthermore, under the “Control” principle an individual should have “meaningful controls” over how personal information they provide to companies is collected, used, and shared except where that information is necessary for the basic operation of the business or when doing so could lead to a violation of the law. According to the “Access” principle, individuals should have reasonable access to the personal information they provide to companies.

  • Purpose Specification, Use Limitation and Suitability

    BLUMENTHAL/MARKEY

    Requires that an edge provider notify a customer about how and for what purposes the edge providers uses and shares sensitive customer proprietary information.

    KLOBUCHAR

    An operator of an online platform must publish details as to how the operator will use the personal data of a user of the online platform.

    POE

    H.R.1039 requires data processors to process data only for specific purpose stated to the individual.

    JOHNSON (DATA Act)

    In certain situations, data brokers are prohibited from using the personal data collected from an individual in a manner inconsistent with the original purpose for which the information was collected. If a data broker collects information from an individual to verify the identity of the individual, the data broker may not use such information for any purpose other than for the purposes of verifying the identity of the individual. If an individual expresses his or her preference to not allow a data broker to use the individual’s information for marketing purposes, the data broker may not use, share, or sell any information for such purposes.

    JOHNSON (APPS Act)

    Before a mobile application collects personal data about a user of the application, the developer must provide the user with notice of the terms and conditions governing the collection, use, storage, and sharing of the personal data. Such notice must include the categories of purposes for which the personal data will be used.

    DELBENE

    The bill requires an operator to provide notice to the user as to the purpose or use for collecting, storing, processing, selling, sharing, or otherwise using the personal information, including how the sensitive personal information is shared with third parties. Notice is not required where the operator processes, collects, stores, shares, or sells sensitive eprsonal information pursuant to a “necesssary operations and security purposes.’

    WYDEN

    As part of the proposed “Do Not Track Website” a covered entity must provide a user with a description of the purposes for which the personal information of that consumer will be shared. These purposes must also be shared with the user (see also “verified consumer”) upon the user’s request. A covered entity should only share the collected personal information if sharing such information is necessary for the primary purpose for which the information was collected. A covered entity is also required to conduct privacy impact assessments when using an “automated decision system” or “high-risk automated decision system.” As part of the assessment, the covered entity must describe the purposes for using such systems.

    JOHNSON (DATA Act)

    In certain situations, data brokers are prohibited from using the personal data collected from an individual in a manner inconsistent with the original purpose for which the information was collected. If a data broker collects information from an individual to verify the identity of the individual, the data broker may not use such information for any purpose other than for the purposes of verifying the identity of the individual. If an individual expresses his or her preference to not allow a data broker to use the individual’s information for marketing purposes, the data broker may not use, share, or sell any information for such purposes.

    JOHNSON (APPS Act)

    Before a mobile application collects personal data about a user of the application, the developer must provide the user with notice of the terms and conditions governing the collection, use, storage, and sharing of the personal data. Such notice must include the categories of purposes for which the personal data will be used.

    INTEL

    According to the Intel draft bill, which implements the Fair Information Practice Principles, a covered entity must, in its notice to individuals before collecting any personal data, include the purposes for which personal data are processed. Additionally,  a covered entity must only process personal data that is relevant to the purposes for which they are to be processed, and, to the extent necessary for the purposes.

    The draft bill provides certain permitted and prohibited processing purposes.

    Permitted Processing:

    • any purpose for which the individual to whom the personal data relates provides explicit consent, unless other prohibited by law, regulation or public policy;
    • as required by law or by regulation, including a lawful request of a government agency;
    • any uses that satisfy the language of “consistent uses” [explained below]

    Prohibited Processing:

    • violation of one or more state or federal laws or regulations;
    • interfere with, or deny, individual their rights and privileges under the United States Constitution;

    Processing that is determined to be in line with “consistent uses” is permitted. Such determination must be documented and based on a risk/benefits analysis taking into consideration the following factors:

    • the reasonable expectation of the individual to whom the data relates;
    • the likelihood and severity of privacy risks;
    • the potential benefits to that individual;
    • the privacy risk and potential benefits to other individuals; and
    • the potential risks and benefits to society.

    SCHATZ

    The bill does not explicitly require that individual identifying data be collected or used for a specified purpose, but does require an online service provider to abide by a “duty of confidentiality.” Under this duty, the provider may not disclose or sell individual identifying data unless it is consistent with the duty of care (e.g. protection and loss prevention) and duty of loyalty (e.g. harm to the user).

    GOOGLE

    Google recommends placing “reasonable limitations” on the “manner and means” of collecting, using, and disclosing personal information.

    U.S. CHAMBER OF COMMERCE

    Privacy protections should be based on the sensitivity of the data and informed by the purpose and context of its use and sharing.

    INTERNET ASSOCIATION

    The Internet Association principles do not specify the kinds of lawful processing that companies should rely on but does recommend that businesses share such purposes with individuals.

  • Data Minimisation, Storage Limitation and Accuracy

    BLUMENTHAL/MARKEY

    The bill requires imposes certain obligations on edge providers to de-identify both personally identifiable information and sensitive customer proprietary information. Specifically, an edge provider must:

    • “alter the customer information so that the customer cannot be reasonably linked to a specific individual or device;
    • publically commit to maintain and use sensitive customer proprietary information in an unidentifiable format and to not attempt to restore any personally identifiable information that has been previously removed;
    • contractually prohibit the practice of restoring any personally identifiable information that has been previously removed from sensitive customer proprietary information.

    There are no specific requirements for edge providers with respect to storage limitations or the accuracy of the personally identifiable information or sensitive customer proprietary information collected from an individual.

    KLOBUCHAR

    In the event of an operator of online platform becomes aware that the personal data of a user has been transferred improperly, the operator of an online platform must offer the user the option to have the operator:

    • erase all personal data of the user tracked by the operator; and
    • cease further dissemination of personal data of the user tracked by the operator.

    There are no other specific requirements on operators with respect to data minimisation, storage limitations, or accuracy of the personal data collected from users.

    POE

    H.R.1039 minimizes the processing of data to only what is necessary for the specific purpose stated to the individual.

    JOHNSON (DATA Act)

    Under the draft of the DATA Act, a covered data broker, subject to the exceptions below, must establish procedures to ensure, to the maximum extent practicable, the accuracy of the personal information it collects, assembles, or maintains and any other information it collects, assembles, or maintains that specifically identifies an individual, unless the information only identifies an individual’s name or address.

    A data broker may collect or maintain inaccurate information with respect to a particular individual if that information is being collected or maintained solely for the purpose of:

    • indicating whether there may be a discrepancy or irregularity in the personal information associated with an individual;
    • helping to identify, or authenticate the identity of an individual, or
    • helping to protect against or investigate fraud or other unlawful conduct.

    An individual whose personal information is maintained by a data broker may dispute the accuracy of any information described under this section. If the data broker was reporting information (public record or non-public information) inaccurately, the data broker must correct the inaccuracy in a time period that will be later determined by the Commission.

    JOHNSON (APPS Act)

    Under the draft APPS Act, a mobile developer must provide the user of the application with notice of the terms and conditions governing the collection, use, storage, and sharing of personal data. The notice should also include a data retention policy which governs the length for which the personal data will be stored and the terms and conditions applicable to storage.

    DELBENE

    An operator must provide a user with notice which includes the “storage period for how long the personal information will be retained by the operator and any third party, as applicable.”

    WYDEN

    Covered entities using “automated decision systems” must consider data minimization, storage limitations, and accuracy (and the extent to which consumers have access to and may correct or object to the results of such systems)  when conducting an “automated decision system impact assessment.” Covered entities must also establish reasonable means for individuals to challenge the accuracy of any personal information of that verified consumer.

    There are no other specific requirements with respect to data minimization, storage limitations, or accuracy of the information collected.

    INTEL

    Under the “Collection Limitation” principle a covered entity must not collect any personal data that is not relevant and necessary to accomplish the specified purpose(s) for which the data was collected. Under the “Data Quality” principle a covered entity must, to the extent reasonable for the purpose of processing, the data should be complete, accurate, and should be updated by the covered entity as necessary to maintain accuracy.

    SCHATZ

    Aside from the duties of care, loyalty, and confidentiality–there are no specific requirements with respect to data minimsation, storage limitation, or accuracy.

    U.S. CHAMBER OF COMMERCE

    The U.S. Chamber of Commerce’s principles do not specifically address the data minimisation, storage limitations, or accuracy. At a high level, however, the Chamber states that data protection and control measures should match the sensitivity and risk associated with the data.

    INTERNET ASSOCIATION

    The Internet Association principles provide that individuals should have the ability to request a company correct personal information it has that relates to the individual. Additionally, an individual should also have the ability to request that the personal information the individual provided be deleted when that information is no longer necessary to provide the services. Both requests are subject to certain limitations. The Internet Association also recommends that companies consider de-identifying, pseudonymizing, or aggregating data.

  • Security and Prevention

    BLUMENTHAL/MARKEY

    An edge provider must develop “reasonable data security practices” and notify a customer if a breach of security has occurred and harm is reasonably likely to occur. A “breach of security” is any instance in which a person, without authorization or in violation of any authorization provided to the persons, gains access to, uses, or discloses sensitive customer propietary information. An edge provider must also “implement strong protection” for sensitive customer proprietary information that has been de-identified to prevent the restoration of any personally identifiable information that has been previously removed.

    KLOBUCHAR

    An operator of an online platform must establish and maintain a “privacy or security program” for the online platform. The operator should publish a description of how the operator will use the personal data of the user and how the operator will address the privacy risks associated with the development of new products and services.

    POE

    H.R.1039 requires data processors and controllers to ensure compliance with relevant privacy rules.

    JOHNSON (DATA Act)

    The draft of the DATA Act does not specifically refer to any security or preventions provisions.

    JOHNSON (APPS Act)

    According to the draft of the APPS Act, the developer of a mobile application shall take “reasonable and appropriate” measures to prevent unauthorized access to personal data.

    DELBENE

    Each operator should, annually, obtain a privacy audit from an “objective, independent third-party professional…” which should set forth the privacy, security, and data use controls that the operator has implemented and maintained during the reporting period. Additionally, the audit should certify whether the “privacy and security controls operate with sufficient effectiveness to provide reasonable assurance to protect the privacy and security of senstiive personal information or behavioral data and that the controls have so operated throughout the reporting period.”

    WYDEN

    Under the draft bill, a covered entity would be required to establish and implement “reasonable cybersecurity privacy policies, practices, and procedures to protect personal information used, stored, or shared by the covered entity from improper access, disclosure, exposure or use. Covered entities would also be required to implement “reasonable physical, technical, and organizational measures” to ensure that the covered entity’s products and technologies built and function consistently with reasonable data protection practices.

    INTEL

    The Intel draft bill recommends that covered entities institute a comprehensive data security program consistent with the codification of the Fair Information Practice Principles (FIPPs). Such a program should include administrative, technical, and physical privacy protections which takes into consideration the following factors:

    • the size and complexity of the organizations, and the nature and scope of the organization’s activities
    • the privacy risk associated with personal data (including its misuse by other organizations).

    Such a data security program should at a minimum:

    • ensure confidentiality, integrity, availability, and security of personal data;
    • protect against unauthorized access, acquisition, disclosure, destruction, alteration or use of personal data;
    • protect against any anticipated threats or hazards to the security or integrity of personal data; and
    • protect against unauthorized processing of personal data.

    SCHATZ

    Under the duty of care, an online service provider must “reasonably secure individual identifying data from unauthorized access” and “promptly inform an end user of any such breaches with respect to the sensitive data of that end user.” The bill gives the FTC the authority to apply the above breach notification requirements to other categories other than sensitive data.

    GOOGLE

    A proposed national data protection legislation should include requirements to secure personal information. According to Google, organizations must implement reasonable precautions to protect personal information from loss, misuses, unauthorized access, disclosure, modification, and destruction. Furthermore, organizations should expeditiously notify individuals of security breaches that create a significant risk of harm.

    U.S. CHAMBER OF COMMERCE

    The Chamber recommends that Congress should include a risk-based data security and breach notification provisions. With respect to security, the Chamber recognizes that security requirements are different for individuals businesses, adding further that “one-size-fits-all approaches are not effective.” Companies should have flexibility in determining “reasonable security practices.” Furthermore, the data protection and controls should be considered in light of the benefits and risks presented by the data.

    INTERNET ASSOCIATION

    The Internet Association recognizes that there are a number of state laws relating to privacy and data security, which are enforced differently and using different standards. The Internet Association recommends a national data security law that preempts the various state laws.

  • Accountability and Recordkeeping

    wBLUMENTHAL/MARKEY

    The draft bill does not specifically reference accountability or record keeping.

    KLOBUCHAR

    According to the draft bill, to demonstrate compliance, an operator of an online platform is required, at least once every two years, to audit the privacy or security program of its online platform. The bill creates a safe harbor with “respect to the development of privacy-enhancing technology by an operator of an online platform.”

    POE

    JOHNSON (DATA Act)

    Under the proposed DATA Act and subject to certain exceptions, a data broker must establish measures that facilitate the auditing or retracting of any internal or external access to, or transmission of, any data containing personal information collected, assembled or maintained by the data broker. The bill also gives the FTC the authority to regulate the form and substance of such audits.

    JOHNSON (APPS Act)

    The proposed APPS Act creates a safe harbor for a mobile app developer that a developer can use to satisfy the requirements under the APPS Act. To qualify for the safe harbor, the developer must follow a specific code of conduct for consumer privacy that was developed by the National Telecommunications and Information Administration (NTIA) in 2012. Such a code of conduct must also be approved by the FTC.

    DELBENE

    As stated above, operators must obtain a “privacy audit from an objective, independent third-party professional with substantial experience in the field of privacy and data protection, who uses procedures and standards generally accepted in such field.”

    WYDEN

    Certain covered entities are required to submit to the Commission an annual data protection report describing in detail whether, during the reporting period, the entity complied with the provisions of the bill. Each report must be accompanied by a written statement by the chief executive officer, chief privacy officer (or equivalent), and chief information security officer of the company. The bill also proposes harsh penalties for certifying a report that does not comport with the bill.

    • Penalties for intentionally certifying a report knowing that the report does not comport with all of the requirements of the bill:
      • $5,000,000 or  25% of annual compensation of the largest amount of compensation for 3 preceding years;
      • Imprisoned up to 20 years;
      • Or both of the above
    • Penalties for unintentionally certifying a report knowing that the report does not comport with all of the requirements of the bill:
      • $1,000,000 or  5% of annual compensation of the largest amount of compensation for 3 preceding years;
      • Imprisoned up to 10 years;
      • Or both of the above

    INTEL

    Under the Intel draft bill, covered entities to ensure compliance must create an accountability program that must address and includes:

    1.  Policies;
    2. Internal leadership, staffing, and oversight;
    3. Staffing and delegation;
    4. Education and awareness;
    5. Ongoing risk assessment and mitigation;
    6. Program risk assessment oversight and validation;
    7. Incident management and complaint handling;
    8. Internal enforcement; and
    9. Redress

    The Intel draft bill creates a Safe Harbor for covered entities that would not subject the covered entities to certain civil penalties under the bill. Covered entities would still be subject to certain equitable remedies. For a covered entity to qualify, a corporate officer of the covered entity would be required to submit to the FTC an annual data protection report and also certify that covered entity has conducted a thorough review and such review did not review any “material non-compliance” with the draft bill. A covered entity would need to annual recertify to maintain the protection of the Safe Harbor.

    A covered entity that commits repeat violations of the bill would lose its Safe Harbor status. The bill also imposes stiff penalties for whoever certifies the report knowing that the report contains false or inaccurate information.

    • Fined not more than $1,000,000; or
    • Imprisoned not more than 10 years.

    SCHATZ

    The bill does not specifically refer to “accountability” or “recordkeeping” beyond what may be implied in an online service provider’s duty of care, loyalty, and confidentiality.

    GOOGLE

    The Google framework recommends that organizations be held accountable for compliance, but also lawmakers and regulators should set “baseline requirements and enable flexibility in how to meet those requirements.” Google also suggests that industry accountability programs and safe harbor can “incentivize best practices,” particularly in dealing with emerging technologies. Compliance should also be consistent across the globe.

    U.S. CHAMBER OF COMMERCE

    The U.S. Chamber of Commerce stresses flexibility for businesses demonstrating compliance with a federal privacy law. The Chamber recommends that a federal privacy law should include safe harbors and other incentives to promote the development of adaptable, consumer-friendly privacy programs. Furthermore, the Chamber believes that a federal regulator should be sole enforcement entity and specifically that there should be no private right of action as it will mean that companies will be forced to divert resources to “litigation that does not protect consumers.”

    INTERNET ASSOCIATION

    The Internet Association’s proposed framework suggests that a new comprehensive federal privacy framework would create bolster consumer’s privacy and ease compliance for companies.

  • Data Protection Officer

    BLUMENTHAL/MARKEY

    The draft bill does not specifically or generally reference a data protection officer an equivalent thereof.

    KLOBUCHAR

    The draft bill does not specifically or generally reference a data protection officer an equivalent thereof.

    POE

    JOHNSON (DATA Act)

    The draft bill does not specifically or generally reference a data protection officer an equivalent thereof.

    JOHNSON (APPS Act)

    The draft bill does not specifically or generally reference a data protection officer an equivalent thereof.

    DELBENE

    The draft bill does not specifically or generally reference a data protection officer an equivalent thereof.

    WYDEN

    Senator Wyden’s draft bill would require that each covered entity designate at least 1 employee who reports directly to an employee acting an executive capacity (e.g. director-level or higher) in the covered entity to coordinate efforts to comply with and carry out its responsibilities under this act. Such responsibilities would include responding to any request or challenge related to the sharing of personal information. Furthermore, as described above, a covered entity’s chief executive officer, chief privacy officer (or its equivalent), and chief information security officer (or its equivalent), must certify the covered entities annual data protection report to the FTC.

    INTEL

    According to the “Accountability” principle, a covered entity would be required to appoint a “data privacy leader” responsible for developing and implementing the covered entity’s consumer privacy and data security program, and related policies and practices. The data privacy leader would report to senior management and be supported by appropriate resources and personnel.

    SCHATZ

    The draft bill does not specifically or generally reference a data protection officer an equivalent thereof.

    GOOGLE

    The draft framework does not specifically or generally reference a data protection officer an equivalent thereof.

    U.S. CHAMBER OF COMMERCE

    The draft framework does not specifically or generally reference a data protection officer an equivalent thereof.

    INTERNET ASSOCIATION

    The draft framework does not specifically or generally reference a data protection officer an equivalent thereof.

  • Privacy by Design

    BLUMENTHAL/MARKEY

    The draft bill does not specifically or generally reference privacy by design.

    KLOBUCHAR

    Privacy be design is vaguely referenced in the bill.  An operator of an online platform may not introduce a new product or implement any material change to the privacy or security program of the online platform that overrides the privacy preferences of a user, unless the operator has:

    • informed the user that the new product or change will result in the collection and use of personal data;
    • provided the option to withdraw; and
    • obtained affirmative express consent from the user to the introduction of the new product or the implementation of the change.

    POE

    H.R.1039 requires data processors to design their systems in a way that by default, protect personal information from being used for other purposes.

    JOHNSON (DATA Act)

    The draft bill does not specifically or generally reference privacy by design.

    JOHNSON (APPS Act)

    The draft bill does not specifically or generally reference privacy by design.

    DELBENE

    The draft bill does not specifically or generally reference privacy by design.

    WYDEN

    Privacy be design is not explicitly mentioned, however, the design of an “automated decision system” must be considered by the covered entity when the covered entity conducts its “automated decision impact assessment” before it uses such systems.

    INTEL

    Privacy be design is not explicitly mentioned, however, according to the draft bill’s “Accountability” principle, a covered entity is required to identify, asses, and mitigate privacy risk, including privacy risk raised by new products, services, technologies, methods of processing, and business models.

    SCHATZ

    The draft bill does not specifically or generally reference privacy by design.

    GOOGLE

    Regulators should “encourage the design of products to avoid harm to individuals and communities.”

    U.S. CHAMBER OF COMMERCE

    The Chamber encourages incorporating privacy considerations into product and service design. Adding further that a “national privacy framework should encourage stakeholders to recognized the importance of consumer privacy at every stage of the development of goods and services.”

    INTERNET ASSOCIATION

    The Internet Association recommends that companies should take into account privacy and data security “when they design and update their services.”

  • Privacy Impact Assesment

    BLUMENTHAL/MARKEY

    The draft bill does not reference privacy impact assessments.

    KLOBUCHAR

    The draft bill does not reference a privacy impact assessment but does require that the operator of an online platform detail how the operator will address the privacy risks associated with the development of new products and services.

    POE

    JOHNSON (DATA Act)

    The draft bill does not reference privacy impact assessments.

    JOHNSON (APPS Act)

    The draft bill does not reference privacy impact assessments.

    DELBENE

    WYDEN

    The draft bill would require covered entities to conduct where applicable up to 3 different privacy impact assessments:

    1. Automated Decision System Assesment: a study evaluating an automated decision systems development process, including the design and training data of the automated decisions system, for impacts on accuracy fairness, bias, discrimination, privacy and security. A separate assessment may be required for existing and new “high-risk automated decision systems” that are used or will be used by a covered entity.
    2. Data Protection Impact Assesment: a study evaluating the extent to which an information system protects the privacy and security of personal information the system processes.

    INTEL

    Under the draft Intel bill, covered entities would be required to a (an) conduct privacy impact assessment(s) in several instances:

    • Automated Processing: processing by algorithmic, machine learning, or artificial intelligence requires a covered entity to conduct an impact assessment which addresses the privacy risks, data quality issues (e.g. fairness, bias, and non-discrimination).
    • Ongoing Risk Assesment: covered entities are required to identify, asses, and mitigate privacy risk on an ongoing basis.
    • Program Risk Assesment: a periodic assessment (no less than annually) of the covered entity’s accountability program and compliance with the draft bill.
    • Third Party Assesment: a periodic assessment (no less than annually) to determine whether third parties engaged by the covered entity are in compliance with the draft bill.

    SCHATZ

    The draft bill does not reference privacy impact assessments.

    GOOGLE

    The proposed framework does not reference privacy impact assessments.

    U.S. CHAMBER OF COMMERCE

    The proposed principles do not reference a privacy impact assessment.

    INTERNET ASSOCIATION

    The proposed framework does not reference a privacy impact assessment.

  • Data Subject Rights

    BLUMENTHAL/MARKEY

    Aside from the implicit right to withdraw his or her consent, the bill provides that the FTC shall create rules and guidance establishing procedures for the resolution of complaints by consumers regarding covered entities improper use, storage, or sharing of personal information of consumers.

    KLOBUCHAR

    The draft bill offers users of an online platform several rights.

    • (Explicit) Right to Access: a user may obtain a copy of his or her personal data, free of charge and in an electronic and easily accessible format.
    • (Implicit) Right to withdraw consent: a user must be able to withdraw his or her consent as easily as the user is able to give such consent.
    • (Implicit) Right to be informed: a user has a right to be informed about an operators data collection and usage practices and to be informed of material changes to such practices for existing or new products or services.

    POE

    Under H.R.1039, individuals have rights

    • to revoke consent for data processing at any time;
    • not to be subject to automated decisionmaking, including profiling, without human intervention if the decisionmaking has legal or otherwise significant effects on the individual;
    • to know which entities have access to the data of the individual and how that data are being used;
    • to correct the data of the individual if it is inaccurate or incomplete; and
    • to obtain and reuse the data of the individual for the purposes of the individual across other services.

    JOHNSON (DATA Act)

    • Right to Access (Consumer Access): a data broker must provide an individual a means to review any personal information (or certain other information) that the data broker collects, assembles, or maintains on that individual
    • Right to Correction (Disputed Information): an indivual may dispute the accuracy of any personal information relating to the individual that the data broker maintains. The data broker must correct any inaccuracies where applicable.
    • Right to Withdraw Consent:

    JOHNSON (APPS Act)

    • Right to Withdraw Consent: the user has the right to withdraw his or her consent to the mobile app developer’s further collection of personal data through the application. The user then also the right request the developer to either 1) delete any personal data collected and stored by the developer; or 2) refrain from any further use or sharing of such data.

    DELBENE

    • (Implicit) Right to be informed – The bill requires operators provide users with information regarding who will be collecting the user’s personal information, how it will be used, and with whom it may be shared;
    • Right to Opt Out (non-sensitive personal information) – Operators must provide users with the ability to opt out at any time for any collection, storage, processing, selling, sharing (including sharing with third parties) or other use of non-sensitive personal information;
    • Right to be Informed about Withdrawal of Consent (sensitive personal information) –  As part of an operator’s privacy policy, the user should be informed as to how consent to collecting, storing, processing, selling, sharing, otherwise using the sensitive personal information, including sharing with third parties, may be withdrawn.

    WYDEN

    • Right to Withdraw Consent: a consumer has the right to withdraw his or her consent. The covered entity must notify the consumer of such a right and how to exercise that right.
    • Right to Challenge Accuracy: a consumer has the right to challenge the accuracy of any stored personal information of that verified consumer. The covered entity must implement and reasonable process for responding to such a challenge; must also disclose the contact information for the employee overseeing such a challenge.

    INTEL

    While not described as “rights” by the Intel draft bill, the subsection on  “Individual Participation” requires that a covered entity provide any individual with a readily available mean to promptly obtain:

    • Information: confirmation of whether the personal data concerning the individual is processed by the covered entity and descriptions of what specific person data are processed how such data is processed
    • Access: reasonable access to the individual’s personal data
    • Correction/ Rectification: the ability to correct erroneous personal data and supplement personal data voluntarily to address data quality requirements.

    SCHATZ

    There are no specific references to data subject rights, other than those which may be implied by an online service provider’s duties of care, loyalty, and confidentiality.

    GOOGLE

    Individuals must be given the ability to access, correct, delete, and download, their personal information–and where practical make such personal information available for export in a machine-readable format.

    U.S. CHAMBER OF COMMERCE

    The Chamber’s principles do not refer to rights of individuals specifically but do suggest that a new privacy framework should not create a private right of action (instead the FTC should be the sole enforcing entity).

    INTERNET ASSOCIATION

    The Internet Association’s framework recommends that a new national privacy framework should foster trust by enabling individuals to under their rights regarding how their personal information is collected, used, and shared.

  • Vendor Management

    BLUMENTHAL/MARKEY

    The bill does not reference vendor (or third-party) management.

    KLOBUCHAR

    The bill does not reference vendor (or third-party) management.

    POE

    H.R.1039 requires data processors to implement appropriate oversight over third-party data processors.

    JOHNSON (DATA Act)

    The bill provides for certain exceptions from provisions of the bill for data brokers that process information collected by and on behalf of certain third parties.

    JOHNSON (APPS Act)

    A “third party” is an entity that holds itself out to the public as separate from the developer such that a user of the application would reasonably not expect the entity related to the developer or to have access to personal data the user provides to the developer. Any mobile application which allows a third party access to personal data collected by the application will be considered to have shared such personal data with the third party (whether or not the data was first transmitted to the developer). As stated above, personal data that is shared is subject other provisions (e.g. the developer must tell the user who their personal data is shared with).

    DELBENE

    The bill does not impose specific requirements on an operator with respect to a “third party” other than informing a consumer if such a third party is to receive the consumer’s information and ensuring that a third party fulfills a consumer’s withdrawal of consent.

    According to the bill, a “third party” is an individual or entity that uses or receives sensitive personal information or behavioral data obtained by or on behalf of an operator.

    There are two major exceptions to this definition:

    • Contractual: a service provider of an operator to whom the operator discloses the consumer’s personal information for an operation purpose pursuant to an agreement. Such an agreement should prohibit the receiving party from using or discclosing the personal information for any purpose other than the purposes contemplated by the agreement; and
    • Necessity: any entity that uses such data only as reasonable necessary to: 1) comply with applicable law; 2) enforce an operator’s terms of use; or 3) to detect, prevent, or mitigate fraud or security vulnerabilities.

    WYDEN

    A “third party” is defined as any person, partnership, or corporation that is:

    • not the entity sharing the personal information; and
    • not solely outsourcing on behalf of the sharing entity (subject to certain other provisions); and
    • not an entity for whom the individual gave explicit consent for the covered entity to share information with.

    The development and implementation of a “Do Not Track Website” aims to prevent third parties with whom personal data was shared from retaining the personal information for secondary purposes. The bill does not provide further detail.

    INTEL

    According to Section 5 (“Oversight of Third Parties By a Covered Entity”), a covered entity that engages a third party with respect to its processing, must:

    • exercise appropriate due diligence in the selection of the third party for responsibilities related to personal data, and take reasonable steps to maintain appropriate controls;
    • require the third party by contract to implement and maintain appropriate measures  to ensure compliance with certain provisions of the bill;
    • implement an assessment process to determine whether the third-party is in compliance.

    SCHATZ

    The bill does not specifically reference vendor management.

    GOOGLE

    Google calls for a distinction between “controllers” and “processors” adding further that such a distinction allows for the “efficient use of vetted, qualified vendors…” Processors can look to controllers to meet certain obligations under the law, but processors must still meet basic programmatic and security responsibilities.

    U.S. CHAMBER OF COMMERCE

    The Chamber’s principles do not specifically reference vendor management.

    INTERNET ASSOCIATION

    The Internet Association’s framework does not specifically reference vendor management.

  • Cross-Border Data Transfer and Localisation

    BLUMENTHAL/MARKEY

    The draft bill does not specifically address cross-border data transfer and localisation.

    KLOBUCHAR

    The draft bill does not specifically address cross-border data transfer and localisation.

    POE

    JOHNSON (DATA Act)

    The draft bill does not specifically address cross-border data transfer and localisation.

    JOHNSON (APPS Act)

    The draft bill does not specifically address cross-border data transfer and localisation.

    DELBENE

    The draft bill does not specifically address cross-border data transfer and localisation.

    WYDEN

    The draft bill does not specifically address cross-border data transfer and localisation.

    INTEL

    The only reference to cross-border data transfer and data localisation is where the bill provides that the FTC shall coordinate enforcement actions with Data Protection Authorities or similar offices of foreign nations in a manner consistent with authorities in the bill.

    SCHATZ

    The draft bill does not specifically address cross-border data transfer and localisation.

    GOOGLE

    Google’s framework encourages cross-border data flow and discourages data localisation (“geographic restrictions on data storage”).

    U.S. CHAMBER OF COMMERCE

    The Chamber’s principles suggest that Congress adopt policies that promote the free flow of data across international borders and facilitate interoperable cross-border data transfer frameworks.

    INTERNET ASSOCIATION

    The Internet Association’s framework does not specifically address cross-border data transfer and localisation.

  • Incident and Breach

    BLUMENTHAL/MARKEY

    According to the bill, an edge provider must notify a customer if a “breach of security” has occurred if the edge provider determines that an unauthorized disclosure of the sensitive customer proprietary information of the customer has occurred and harm is reasonably likely to occur.

    A “breach of security” means “any instance in which a person, without authorization or in violation of any authorization provided to the person, gains access to, uses, or discloses sensitive customer proprietary information.”

    Note that the definition of “breach of security” only includes “sensitive customer proprietary information” and not “personally identifiable information.”

    KLOBUCHAR

    The bill does not impose specific requirements with respect to an “incident” or “breach”.

    POE

     

    JOHNSON (DATA Act)

    The bill does not impose specific requirements with respect to an “incident” or “breach”.

    JOHNSON (APPS Act)

    The bill does not impose specific requirements with respect to an “incident” or “breach”.

    DELBENE

    The bill does not impose specific requirements on an operator with respect to an “incident” or “breach.” The bill would require that an operator’s required annual audit be submitted to the FTC or State attorney general withing 10 days notice of an operator’s alleged violation of the act.

    WYDEN

    The bill does not impose specific requirements with respect to an “incident” or “breach”.

    INTEL

    As part of the Accountability principle, covered entities would be required to implement and maintain procedures for responding to data breaches and for addressing inquiries and complaints concerning personal data.

    SCHATZ

    The bill imposes a “duty of care” on online service providers which requires an online service provider to “reasonably secure individual identifying data from unathorized access.” In the event of any breach of the duty of care with respect to “sensitive data” of an end user,  an online service provider must “promptly inform [the] end user” of such breach. The bill also provides that the FTC may choose to expand the breach notification requirements to include other categories of data besides just “sensitive data.”

    GOOGLE

    As stated above, the Google frameworks recommends that organizations must implement “reasonable” precautions to protect personal information and should “expeditiously” notify individuals of security breaches that “create significant risk of harm.”

    U.S. CHAMBER OF COMMERCE

    The Chamber recommends preemptive federal data security and breach notification requirements.

    INTERNET ASSOCIATION

    The Internet Association frameworks calls for a national breach notification law that would preempt the patchwork of different data breach notification laws in all 50 states and the District of Columbia.

  • Enforcement and Relationship with State Laws

    BLUMENTHAL/MARKEY

    Subject to certain exceptions, the draft bill would be enforced by the FTC. A violation of the bill would be a violation of the FTC Act.  The FTC may bring actions against any person violating this act. Certain other federal agencies may enforce other appropriate sectors (e.g. federal banks, air carriers. etc.)

    If a state attorney general has reason to believe that an interest of the residents of that State has been or is threatened or adveresly affected by the engagement of any person in a practice that violates the bill, the State attorney general may file an action on behalf of the residents of the State in a district court of the United States.  The State attorney general before filing such a complaint must also file notice with the FTC. The FTC also has the right to intervene in any action brought by a State Attorney General.

    The bill would only preempt certain sections of the Communications Act of 1934 (47 U.S.C. 222, 338(i), 551).

    KLOBUCHAR

    A state attorney general may bring an action based on legitimate consumer complaints against any person in a practice that violates this bill. The State attorney general must provide notice to FTC of its intention to bring an action.

    A violation of the bill would be a violation of the FTC Act.  The FTC may bring actions against any person violating this act. Any other consumer protection officer of a State who is authorized by the State to do so may bring a civil action, subject to the same requirements of State attorney generals.

    The bill does not address preemption of state or federal law.

    POE

    JOHNSON (DATA Act)

    A state attorney general may bring an action based on legitimate consumer complaints against any person in a practice that violates this bill. The State attorney general must provide notice to FTC of its intention to bring an action.

    A violation of the bill would be a violation of the FTC Act.  The FTC may bring actions against any person violating this act. Certain other state officials who are authorized by the State to do so may bring a civil action, subject to the same requirements of State attorney generals.

    The bill does not preempt any other federal law and does not address preemption of state law.

    JOHNSON (APPS Act)

    A state attorney general may bring an action based on legitimate consumer complaints against any person in a practice that violates this bill. The State attorney general must provide notice to FTC of its intention to bring an action.

    A violation of the bill would be a violation of the FTC Act.  The FTC may bring actions against any person violating this act. Certain other state officials who are authorized by the State to do so may bring a civil action, subject to the same requirements of State attorney generals.

    The bill does not address preemption of state or federal law.

    DELBENE

    The attorney general of a State (or authorized State officer) may bring an action on behalf of the residents of the State alleging a violation of the bill. The State must provide prior written notice to the FTC (unless prior notice is not feasible, in which case notice must be provided immediately upon instituting such action.) The FTC may intervene in any action.

    The bill does not address preemption of state or federal law.

    WYDEN

    A violation of the bill would be a violation of the FTC Act.  The FTC may bring actions against any person violating this act. The bill also aims to bolster the power of the FTC and proposes to establish a “Bureau of Technology” staffed with 100 additional personnel in said Bearaue and in the Division of Privacy and Identity Protection.

    The bill purports to also preempt “private contracts” (e.g. unlawful to commit acts prohibited by the bill, “regardless of specific agreements between entities or consumers.”)

    INTEL

    Subject to certain exceptions, the draft bill would be enforced by the FTC. A violation of the bill would be a violation of the FTC Act.  The FTC may bring actions against any person violating this act. State attorney generals are preempted from bringing actions against any defendants names in the FTC’s complaint.

    If a state attorney general has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates the bill, the State attorney general may file an action on behalf of the residents of the State in a district court of the United States.  The State attorney general before filing such a complaint must also file notice with the FTC. The FTC also has the right to intervene in any action brought by a State Attorney General.

    The bill also “preempts any civil provisions of the law of any State or political subdivision of a State that are primarily focused on the reeduction o privacy risk through the regulation of personal data collection and processing activities.” State consumer protection laws, private contracts, and certain other state laws, however, would not be preempted

    SCHATZ

    The attorney general of a State (or authorized State officer) may bring an action on behalf of the residents of the State alleging a violation of the bill. The State must provide prior written notice to the FTC. The FTC may intervene in any action brought by a State attorney general.

    The bill does not preempt any other federal or state law or regulation– stating explicitly that nothing in the bill may be construed to “modity, limit, or supersede the operation of any privacy or security provision in any other Federal or State statute or regulation.”

    GOOGLE

    Google’s proposed framework does not address preemption of other federal or state laws specifically, but does recommend that regulators “should avoid conflicting and unpredictable requirements, which lead to inefficiency and balkanization of services and create confusion in consumer expectations.”

    U.S. CHAMBER OF COMMERCE

    The Chamber’s principles recommend that a state data breach laws should be preempted by a comprehensive federal law. Furthermore,  enforcement authority should be left soley to the appropriate state or federal regulator (e.g. FTC).

    INTERNET ASSOCIATION

    The Intenet Association’s framework recommends that a proposed comprehensive federal privacy law should preempt state consumer and data security and data breach laws. Such federal privacy law should be enforced by the FTC at the federal level and by State attorney generals at the state level where the FTC decides not to act.

Want to learn more? Login to the full DataGuidance platform.