US Privacy Law Developments — Update | White & Case LLP International Law Firm, Global Law Practice
US Privacy Law Developments — Update

US Privacy Law Developments — Update

Since our previous privacy law developments posting, there has been significant activity in both the legislative and the executive branches concerning online consumer privacy. On April 12, 2011, Senators John Kerry and John McCain introduced their much anticipated Commercial Privacy Bill of Rights ("Kerry-McCain Bill"), which proposes a comprehensive legislative framework for the protection and use of consumer data. [1] The following day, Representative Cliff Stearns proposed his own consumer privacy legislation, the Consumer Privacy Protection Act of 2011 ("Stearns Bill"). [2] Finally, on April 15, 2011, the Obama administration announced the launch of the National Strategy for Trusted Identities in Cyberspace ("NSTIC") initiative, a strategy proposal for a standardized system of online identification credentials intended to enhance consumer privacy online, improve cybersecurity, and foster the economic growth of online businesses. [3] Each of these proposals would significantly change the way individuals and organizations use consumer data. This posting sets forth a summary of the aforementioned proposals.

 

Kerry/McCain Privacy Bill of Rights

The Kerry-McCain Bill applies broadly to any person that collects, uses, transfers, or stores "covered information" concerning more than 5,000 individuals during any consecutive 12-month period, and that is (1) a person over which the Federal Trade Commission ("FTC") has authority pursuant to the FTC Act, [4] (2) a common carrier subject to the Communications Act, [5] or (3) a non-profit organization. [6] The Kerry-McCain Bill also applies to any third parties that receive covered information from a covered entity and includes restrictions regarding the transfer to and use by such third parties. [7] The bill puts a specific burden on companies to conduct due diligence on their partners and service providers before sharing consumer data. [8] "Covered information" is broadly defined as any personally identifiable information (such as address, email address, social security number and information such as place of birth if used together with the former), [9] any unique identifier information, [10] and any information that is collected, stored or used in connection with personally identifiable information or unique identifier information in a manner that may reasonably be used to identify an individual. [11]

Covered information does not include:

(i) personally identifiable information obtained from public records that is not merged with covered information gathered elsewhere;
(ii) personally identifiable information that is obtained from a forum where the individual voluntarily shared the information or authorized the information to be shared, and that forum is widely and publicly available and contains no restrictions on who can access and view such information;
(iii) personally identifiable information reported in public media; and
(iv) personally identifiable information dedicated to contacting an individual at the individual's place of work. [12]

The Kerry-McCain Bill also directs the FTC to initiate rulemaking proceedings to provide for additional, more specific protections. [13]

Opt-in and Opt-out Consent

The Kerry-McCain Bill requires the FTC to initiate a rulemaking proceeding to require each covered entity to offer consumers: (1) a clear, robust and conspicuous opt-out consent mechanism for any use by third parties for purposes of behavioral advertising or marketing, as well as any "unauthorized use" [14] of, non-sensitive covered information, while requiring (2) a clear and conspicuous opt-in consent mechanism for the collection, use or transfer of sensitive covered information, except in connection with certain limited permitted uses of such information. [15] The Kerry-McCain Bill defines "sensitive personally identifiable information" as: (1) personally identifiable information, which if compromised, carries a significant risk of economic or physical harm; or (2) information related to a health record, particular medical condition or the religious affiliation of an individual. [16] Covered entities must also obtain opt-in consent for the use by a covered entity of, or transfer to a third party for an unauthorized use of, previously collected covered information if there is a material change in the entity's practices concerning use of this information and such use or transfer creates a risk of economic or physical harm to an individual. [17]

Privacy by Design and Security

Like the recently issued FTC Privacy Framework, [18] the Kerry-McCain Bill mandates the implementation of data collection and retention limitations [19] and comprehensive and flexible privacy programs for each covered entity, with the goal of creating a universal baseline level of consumer data protection. Specifically, the FTC is directed to initiate a rulemaking proceeding to require each covered entity to develop security measures, in proportion to the size, type and nature of the covered information, to protect the covered information it collects and maintains. [20] As recommended in the FTC Privacy Framework, the Kerry-McCain Bill requires covered entities to implement a comprehensive privacy program by: (1) incorporating necessary development processes and practices throughout the product life cycle to safeguard personally identifiable information; and (2) maintaining management practices throughout the data life cycle that are designed to ensure compliance with the law and the covered entity's privacy policies. [21]

Accountability to Consumers

The Kerry-McCain Bill also includes several provisions that would make covered entities more accountable to consumers. Covered entities must provide timely notices of their practices regarding the collection, use, transfer and storage of covered information, the specific purposes of those practices, and clear, concise and timely notice before implementing a material change in those practices. [22] The Kerry-McCain Bill also requires covered entities to (1) implement "managerial accountability," proportional to the size and structure of the covered entity, (2) develop a procedure for responding to non-frivolous consumer inquiries regarding the collection, use, transfer and storage of covered information relating to such individuals, and (3) to describe its means of compliance with the Kerry-McCain Bill upon the FTC's or a safe harbor program's request. [23] Covered entities must provide individuals reasonable access to their covered information and also must implement reasonable procedures to ensure accuracy of the covered information. [24] At the termination of a relationship with a covered entity, the Kerry-McCain Bill requires that individuals be able to easily request that, subject to certain exceptions, [25] their personally identifiable information be de-identified, or if this is not possible, to ensure that the covered entity ceases use of the information and does not transfer it to third parties for unauthorized use. [26]

FTC Authority and Rulemaking; Safe Harbor Program

The Kerry-McCain Bill directs the Secretary of Commerce to contribute to the development of commercial data privacy policy, but contemplates primary enforcement by the FTC and authorizes the FTC to approve non-governmental organization administered safe-harbor programs, whereby a compliant-covered entity would be exempt from complying with certain requirements of the Kerry-McCain Bill. [27] Although the Kerry-McCain Bill does not proscribe detailed requirements for acceptable safe harbor programs, it does include specific rules guiding and, in some cases limiting, the FTC's rulemaking proceedings. Notably, the Kerry-McCain Bill prohibits the FTC from issuing rules that would require covered entities to deploy "any specific products or technologies, including any specific computer software or hardware." [28] This would effectively prevent the FTC from requiring that covered entities implement a browser-based, universal do-not-track mechanism, which, as discussed in our previous posting, was contemplated in the FTC Privacy Framework. [29]

The creation and implementation of a meaningful safe harbor program will likely do more than other parts of the legislation to promote a culture of better privacy practices in the US. Companies subject to the legislation will likely find that participation in a safe harbor program will provide for a more cost-effective means of privacy compliance than specifically addressing the points of the law section by section or risking liability or public relations problems due to minor violations.

Preemption, Enforcement and Penalties

The Kerry-McCain Bill preempts state laws that apply to covered entities and covered information, with the exception of certain sector specific state laws and state data breach notification laws, but specifically does not amend or supplant any existing sectoral federal laws, such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act ("HIPAA"). [30] The Kerry-McCain Bill excludes any private right of action, and instead authorizes the FTC to take enforcement action based upon knowing or repetitive violations as unfair or deceptive acts under the FTC Act. [31] Civil fines are limited to $3,000,000 for each related series of violations of any rule promulgated under title 1 (the right to security and accountability) or title 2 (the right to notice and individual participation). [32] The Kerry-McCain Bill does, however, grant authority to state attorney generals to bring civil actions for violations resulting in economic or physical harm to an individual, or for patterns or practices that violate the Kerry-McCain Bill, where the attorney general has a "reason to believe that an interest of the residents of that State has been or is adversely affected." [33] The Kerry-McCain Bill does not allow for simultaneous enforcement for violations by the FTC and a state attorney general, and in such cases the attorney general of the particular state will have to give control of the enforcement to the FTC. [34]

 

Stearns Consumer Privacy Protection Bill

Representative Cliff Stearns' bill contains some similarities to the Kerry-McCain Bill, in that it is designed to enhance consumer privacy by requiring greater disclosure of privacy practices, a clear and conspicuous opportunity for consumers to preclude the use and sale of their personal information, and an option for covered entities to enroll in FTC approved self-regulatory programs. [35] The Stearns Bill also applies to any entity that collects, sells, or uses "personally identifiable information" concerning more than 5,000 individuals during any consecutive 12-month period, [36] except for governmental agencies and professional service providers that are required to maintain client confidences due to rules of professional ethics. [37] The Stearns Bill also does not apply to "data processing outsourcing entities" [38] that provide information technology services to covered entities, are contractually obligated to comply with security controls specified by such covered entities, and have no right to use the covered entity's personally identifiable information other than for performing data processing outsourcing services or as required by contract or law. [39] "Personally identifiable information" is defined as information that can identify an individual and includes an individual's physical address, email address, telephone number other than a work number, social security number or other government-issued identification number, and credit or debit card account number. [40] Information such as date and place of birth, and an electronic address including an IP address would also qualify if used in connection with the former. [41] Personally identifiable information does not include information that is publicly available, anonymous or aggregated, or inferred from data maintained by a covered entity. [42]

Notice and Opt-Out

Under the Stearns Bill, covered entities must establish a brief, concise, clear and conspicuous privacy policy with respect to the collection, sale, use, disclosure and security of personally identifiable information. [43] Covered entities must provide initial notice of the privacy policy to the consumer at the time of collection of any personally identifiable information that may be used for a purpose unrelated to a "transaction" with the consumer, prior to any such use, and upon a material change in the privacy policy. [44] A "transaction" refers to an interaction between a consumer and a covered entity resulting in certain defined uses of the information, including for the marketing or advertising of a covered entity's products to its own customers or potential customers. [45] Under a key provision of the Stearns Bill, covered entities must provide consumers a clear and conspicuous opportunity to preclude, for a period of up to five (5) years, the sale or disclosure to any covered entity that is not an "information-sharing affiliate" [46] of personally identifiable information that may be used for a purpose other than a "transaction" with the consumer. [47] This provision stands in contrast to the Kerry-McCain Bill's sanctioning of the sharing of covered information between a covered entity that collects the information and a covered entity that does not collect the information, but maintains an established relationship with the individual to whom the covered information relates.

Security Measures

Similar to the Kerry-McCain Bill, the Stearns Bill requires covered entities to implement an information security policy for personally identifiable information, which must be approved by the covered entity's senior management and must include a process for taking corrective action to prevent or mitigate unauthorized disclosure of personally identifiable information. [48] Unlike the Kerry-McCain Bill, the Stearns Bill does not specifically require covered entities to adhere to privacy by design type programs mandating privacy practices to be integrated throughout the product and data lifecycles.

Self-Regulatory Programs

A significant feature of the Stearns Bill provides presumed compliance with its terms for covered entities that comply with enforced and FTC-approved self-regulatory programs. [49] Unlike the Kerry-McCain Bill, which includes a general safe harbor program provision, the Stearns Bill reflects extensive specific requirements for such programs, and grants authority to the FTC to supervise the administration of the programs and their compliance with the requirements of the Stearns Bill. [50]

Preemption, Enforcement and Penalties

Although the Stearns Bill does not affect existing federal sector specific privacy laws, it specifically preempts all state laws that apply to personally identifiable information, and, unlike the Kerry-McCain Bill, it contains no exception for state data breach notification laws. [51] The Stearns Bill excludes any private right of action, and authorizes only the FTC to enforce violations as unfair or deceptive acts under the FTC Act. [52] Bestowing exclusive authority over consumer privacy to the federal agencies represents a departure from the Kerry-McCain Bill, which contemplates at least some state involvement.

Violators could face up to $500,000 in fines for any related series of violations of the Stearns Bill, which is significantly less than the $3,000,000 cap for each related series of violations of a particular title under the Kerry-McCain Bill. [53] In addition, in many situations, the Stearns Bill states that the covered entity enjoys a presumption that it is in compliance with the law. [54] Such presumption will only be overcome by clear and convincing evidence of non-compliance. [55] This shifting of traditional evidentiary standards will likely represent a burden to the consumer and the FTC and allow companies to avoid liability in close cases.

 

White House Online Privacy Initiative

The Obama administration's proposed NSTIC is, in contrast to the two bills previously discussed, a strategy document, reflecting aspirational goals and a loose framework for a voluntary "Identity Ecosystem" that would replace the numerous usernames and passwords that consumers maintain for various online accounts and websites with a single identification credential, such as a smart card or a smart phone application. [56] Under the Identity Ecosystem, individuals and organizations would obtain their credentials from identity providers [57] who would be responsible for establishing, maintaining and securing their unique digital identity. [58] The credentials would be used when accessing an online service to verify a user's identity with the online service provider, but the credential is designed to supply only the minimum amount of information needed to do so. [59] Similarly, service providers who participate in the Identity Ecosystem would receive a "trustmark" from an accreditation authority, the display of which would indicate to consumers that the service provider meets the requirements of the Identity Ecosystem. [60]

Although the Federal Government will participate by coordinating private and public sector involvement and plans to set an example by implementing the Identity Ecosystem for the services it provides both internally and externally, the NSTIC contemplates primary development and implementation of the Identify Ecosystem by the private sector. [61] The Identity Ecosystem will be based on implementation by service providers of a set of fair information practice principles designed to enhance consumer privacy, [62] however, the government will "neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them." [63]

 

Conclusion

Like the FTC Privacy Framework, the Kerry-McCain Bill and the Stearns Bill, if passed, would place significant requirements on covered entities to develop procedures that allow consumers greater transparency and access to their personal data. Consumers would enjoy much greater protection and clarity concerning the use of their information than they have in the past. However, the Kerry-McCain Bill and the Stearns Bill both move away from the controversial do-not-track mechanism proposed by the FTC and other legislation that has been proposed, in favor of technology neutral rules and clear opt-out or opt-in mechanisms based on the nature of the covered information. Although both bills apply to substantially the same class of covered entities and information, they also reflect varying levels of emphasis on the importance of the FTC's privacy by design model, and include different provisions concerning application to third parties. While the Kerry-McCain Bill includes consumer choice mechanisms that vary based on the sensitivity of the covered information in question, the Stearns Bill favors a singular opt-out mechanism for all types of personally identifiable information. The Stearns Bill would result in complete state preemption, while the Kerry-McCain Bill would coexist with certain state laws and would allow for civil actions by state attorney generals in addition to enforcement by the FTC.

Although similar in its focus on standardization and uniform protection of consumer information, the NSTIC proposal is in a different class than the two proposed bills in that it would overhaul the umbrella framework that each of the proposed bills would exist within. The NSTIC proposal complements the privacy bills in creating a system focused on significantly enhancing consumer privacy.

Privacy advocates have initially commented that the proposed bills are inadequate. In particular, they feel there are loopholes for social media sites and they believe that a private cause of action should be permitted. There is also a general feeling that the Commerce Department, which by its very nature is focused on promoting business, should not be given the role called out in the Kerry-McCain Bill to shape privacy policy. Privacy groups believe the oversight should be consolidated in the FTC which is concerned with consumer protections. This argument, however, overlooks the fact that the Commerce Department will likely play an important role in trying to harmonize US law with European data protection laws.

In the end, this is a societal debate as to whether there is a greater value placed on individual privacy or the benefits of the technologies we enjoy today and their advancement. The Kerry-McCain Bill, which is likely to be the bill that is focused on going forward, attempts to strike a delicate balance between these two competing interests, and we will continue to monitor the developments.

 

[1] - A bill to establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission, and for other purposes, or the Commercial Privacy Bill of Rights Act of 2011, S.799, 112th Cong. (Apr. 12, 2011).
[2] - A bill to protect and enhance consumer privacy, and for other purposes, or the Consumer Privacy Protection Act of 2011, H.R. 1528, 112th Cong. (Apr. 13, 2011).
[3] - National Strategy for Trusted Identities in Cyberspace: Enhancing Online Choice, Efficiency, Security and Privacy, The White House (April 2011), whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf
[4] - 15 U.S.C. 45(a)(2).
[5] - 47 U.S.C. 151 et seq.
[6] - Commercial Privacy Bill of Rights, supra note 1, §401.
[7] - Id. § 302(c)(1). Specifically, the restrictions require covered entities to contractually obligate third parties to only use transferred information for purposes that are consistent with the Kerry-McCain Bill; and further require that such third parties do not combine non-personally identifiable information that the covered entity has transferred to it, with other information in order to identify individuals, unless the covered entity has obtained opt-in consent from individuals for such combination and identification. Id. §§ 302(a)(1-2). Covered entities would be required to notify the FTC, if a third party is in material violation of such a contract. Id. § 302(a)(3)(B). Furthermore, the Kerry-McCain Bill would not allow covered entities to transfer information to a third party that it knows has intentionally violated a contract or is reasonably likely to do so. Id. § 302(b).
[8] - Id. §§ 302(a)(3), (b).
[9] - "Personally identifiable information" includes an individual's physical address, email address, telephone number, social security number or other government issued identification number, credit card account number, and biometric data. Information such as date and place of birth, global positioning system coordinates, and any other information that may reasonably be used to identify an individual would also be considered covered information if used in connection with the former. Id. § 3(5).
[10] - "Unique identifier information" is defined as "a unique persistent identifier associated with an individual or a networked device, including a customer number held in a cookie, a user ID, a processor serial number, or a device serial number."Id. § 3(9).
[11] - Id. § 3(3)(A).
[12] - Id. § 3(3)(B).
[13] - For a provision applying directly to covered entities, see e.g. Id. § 302; for a FTC rulemaking provision, see e.g. Id. § 101.
[14] - "Unauthorized use" is defined as the "use of covered information by a covered entity or its service provider for any purpose not authorized by the individual to whom such information relates." Id. § 3(8)(A). However, "unauthorized use" does not include, among other exceptions, the use of covered information to process and enforce a transaction requested by the individual; to prevent and detect fraud; to investigate a possible crime; for use that is required by law; for marketing to an individual within the covered entities own website, if the covered information was collected directly by the entity or shared with the entity at the individual's affirmative request; for internal operations; for research and development; or for use that an individual could have reasonably expected when a business relationship was established with a covered entity. Id. § 3(8)(B).
[15] - Id. §§ 202(a)(2), (3). Opt-in consent for sensitive personally identifiable information is not required for: (i) processing or enforcing a transaction or delivering a service requested by the individual; (ii) fraud prevention and detection; or (iii) providing a secure physical or virtual environment. Id. § 202(a)(3)(A).
[16] - Id. § 3(6).
[17] - Id. § 202(a)(3)(B).
[18] - Federal Trade Commission, Preliminary FTC Staff Report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (December 2010), ftc.gov/os/2010/12/101201privacyreport.pdf
[19] - Commercial Privacy Bill of Rights, supra note 1, §§ 301(1), (2). Covered entities would be limited to collecting as much covered information as is necessary for specified purposes including: marketing to an individual if the covered information used for such marketing was collected directly by the covered entity; research and development; or for internal operations to improve the website. Id. § 301(1). Information retention times would be limited to what is necessary for the specified purposes. Id. § 301(2).
[20] - Id. § 101(b).
[21] - Id. § 101.
[22] - Id. § 201(1).
[23] - Id. § 102.
[24] - Id. §§ 202(a)(4), 303(a), (b). Specifically, consumers must have access to a mechanism by which individuals can improve the accuracy of their covered information. Id. § 202(a)(4). Additionally, covered entities would also need to have procedures in place to ensure that covered information which could be used to deny consumers benefits or cause significant harm are accurate. Id. § 303(a). Although, covered information provided directly by the individual, or by another entity at the request of the individual would be exempt from this requirement. Id. § 303(b).
[25] - Personally identifiable information that fall within the exceptions are information that the "individual authorized the sharing of or which the individual shared with the covered entity in a forum that is widely and publicly available." Id. § 202(a)(5)(A).
[26] - Id. § 202(a)(5).
[27] - Id. §§ 501(a), 701.
[28] - Id. § 402(c)(1).
[29] - Preliminary FTC Staff Report, supra note 18 at 66.
[30] - Commercial Privacy Bill of Rights, supra note 1, §§ 601(b), (d).
[31] - Id. § 402(a).
[32] - Id. § 404(c).
[33] - Id. § 403(a).
[34] - Id. § 403(c). Although the FTC may intervene in any action brought by a state attorney general, Id. § 403(b)(2), if the FTC institutes an action, no attorney general may bring a civil action against any defendant named in the FTC action. Id. § 403(c).
[35] - Consumer Privacy Protection Act, supra note 2.
[36] - Id. § 3(4)(A).
[37] - Id. § 3(4)(B).
[38] - "Data Processing Outsourcing Entities" are defined as non-affiliated entities that provide "information technology processing, Web hosting, or telecommunications services to the covered entity." Id. § 3(5).
[39] - Id. §§ 3(4), (5).
[40] - Id. § 3(8)(A).
[41] - Id. § 3(8)(B).
[42] - Id. § 3(8)(C).
[43] - Id. §§ 5(a), 5(b)(1).
[44] - Id. § 5(b)(2)(B).
[45] - Id. § 3(15). Such a notice would need to disclose the identity of each covered entity or description of each class of entities that may collect and use the information, how the information will be used, the extent to which the information is subject to sale or disclosure to an entity that is not an information sharing affiliate of the covered entity, and whether the security measures of the covered entity meet the security practices required by the Stearns Bill. Id. § 5(b)(3). The Stearns Bill would further permit the FTC to take actions to facilitate the development of universal wording or logo-based graphics to convey the contents of such privacy policy statements. Id. § 5(c).
[46] - "Information Sharing Affiliate" is defined as "any affiliate that is under common control with a covered entity, or is contractually obligated to comply with the practices enumerated under the privacy policy statement of the covered entity." Id. § 3(7).
[47] - Id. § 6. Covered entities may not seek reconsideration of a consumer's preclusion until at least 1 year after a preclusion was made. Id. § 6(a)(2).
[48] - Id. § 8.
[49] - Id. § 9.
[50] - Covered entities would have to submit an application to the FTC for enrollment in a self-regulatory program. Id. § 9(b). If the FTC deems the program to meet the requirements of the Stearns Bill, it would be approved for a period of 5 years. Id. § 9(b)(3). During this period, a participant would have to submit self reviews and self-certifications of its privacy policy and practices to an administrator of the program.Id. § 9(c). The FTC would be required to randomly review participants for compliance with their self-regulatory programs. Id. In addition, these self-regulatory programs would be required to contain a consumer dispute resolution process relating to the privacy policy and practices of the participants. Id. § 9(c)(3). Non-compliant participants would be suspended or terminated from participating in a self-regulatory program, Id. § 9(c)(5), and willful non-compliant participants would further be subject to the civil penalties described above. Id. § 9(b)(2).
[51] - Id. § 12(d).
[52] - Id. § 10.
[53] - Id. § 10(a).
[54] - Id. § 9(a)(1).
[55] - Id. § 9(d)(4).
[56] - Id. at 5, 29.
[57] - Id. at 21.
[58] - Id.
[59] - Id. at 2, 30.
[60] - Id. at 22.
[61] - Id. at 37.
[62] - Id. at 12.
[63] - Id.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2011 White & Case LLP