Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsProposed Senate Privacy Bill of Rights Act Includes Private Right of Action
At the end of last week, Senator Edward Markey (D-Mass.) introduced a comprehensive federal privacy bill called the Privacy Bill of Rights Act. The Privacy Bill of Rights Act requires the Federal Trade Commission (FTC) to develop privacy regulations on a number of areas within one year of its enactment. A few of the highlights of the bill include the creation of short-form privacy notices, greater control over data for consumers, limits on the use of personal information for unreasonable purposes, and the imposition of select data minimization and security principles. It also provides for enforcement through a private right of action.
The proposed bill is 45 pages long and contains 19 sections. It is much broader than the California Consumer Privacy Act, covering an extensive range of topics from the development of a list of data brokers for publication online by the FTC to the requirement for every covered entity to appoint a privacy and security officer.
The bill applies broadly to any covered entity, which is defined as any person that collects or otherwise obtains personal information. It does not expressly exempt small businesses, although it is possible that the FTC could decide to apply regulations in a different manner to large and small business.
Here is a summary of some of the key sections of the bill:
Short-Form Privacy Notices – The FTC must require the development of a short-form notice about the collection, retention, use and sharing of personal information. The notice would include:
– what personal information is collected, used, or retained;
– the manner of data collection;
– the purposes of collecting, using, retaining, sharing or selling personal information;
– how long the personal information will be retained;
– which third parties the PI is shared, leased or sold.
As part of this requirement, the bill calls on the FTC to establish standardized short-form privacy notices.
Opt-In Approval – The bill would require the FTC to require a covered entity to obtain opt-in-approval to collect, use, retain, share or sell personal information. It would also require opt-in approval for any material changes. The bill contains both a list of exceptions as well as a section covering emergency or exigent circumstances. The bill also authorizes the FTC to grant exemptions for a specific covered entity in some circumstances.
Data Subject Access Rights – The FTC is required to create regulations that provide for an individual’s right to access, correct, delete and receive an export of personal information.
List of Data Brokers – The FTC is required to establish a website listing each data broker in the United States.
Take-It-Or-Leave-It Notices – A covered entity would be prohibited from declining to serve an individual that refuses to approve the collection, use, retention, sharing or sale of the person’s personal information.
Financial Incentives – It prohibits discounts or other incentives in exchange for opt-in approval of the use and sharing of personal information. It provides that the FTC may exempt specific types of financial incentives if it finds them reasonable, just and non-coercive.
Third-Party Disclosures – The bill prohibits disclosures of personal information to a third party under a written contract unless the contract prohibits using or disclosing the personal information for any reason other than performing the specified services on behalf of the covered entity, and the covered entity audits the data security and information practices of the third party not less frequently than once every two years.
Use of PI – The FTC shall have the power to prohibit use of personal information for unreasonable purposes. The unreasonable purposes include selling, leasing, or profiting from an individual’s biometric information. It also includes processing personal information for advertising or marketing in a discriminatory manner in certain sectors, such as employment, healthcare, credit, housing or insurance.
Data Minimization – The FTC shall prohibit data collection of PI beyond what is adequate, relevant and necessary. It also cuts off a covered entity from accessing an individual’s personal information later than 90 days after the conclusion of contract performance, the termination of the relationship, or the covered entity concludes taking steps in order to provide a requested product or service.
Data Security – The FTC will be asked to develop requirements for the establishment and maintenance of reasonable data security practices to protect the confidentiality, integrity and availability of personal information. The requirements shall be technologically neutral, consistant with FTC guidance and recognized industry practices for safety and security, and proportional to the volume and nature of the personal information collected. The entity must make a description of the practices publicly available, notify an individual of an unauthorized disclosure where harm is reasonably likely to occur, and audit the privacy/security practices at least once every two years.
Privacy and Security Officer – The FTC shall require a covered entity to designate at least one employee to coordinate its compliance efforts and carry out the requirements. The contact information for the employee shall be made publicly available.
Enforcement – The law may be enforced by either the FTC or the attorney general of a state that has an interest through the residents of that State. The FTC may intervene in any state lawsuit, or if the FTC brings an action, the federal action preempts any state action. A violation of the law or regulations developed under it will be considered an unfair or deceptive act or practice under the Federal Trade Commission Act.
Private Right of Action – The bill, if passed, would allow individuals to bring a civil action in court based on a violation of the Act or a regulation developed under the law. Procedurally, a violation is considered an injury in fact to that individual and any pre-dispute arbitration agreement is considered invalid or unenforceable with respect to a violation of the Act. The court may award to the prevailing plaintiff actual damages, punitive damages, reasonable attorney’s fees and costs, and any other appropriate relief.
Although Senator Markey is a member of the Senate Commerce Committee, the Privacy Bill of Rights Act does not appear to be connected to another privacy bill from Committee members that is in the drafting stages, including Senators Roger Wicker (R-Miss.), Richard Blumenthal (D-Conn.) and Marsha Blackburn (R-Tenn.).
Other Privacy Bills from Senator Markey:
Senator Markey last month introduced bipartisan legislation with Senator Josh Hawley (R-Mo.) to update and extend the Children’s Online Privacy Protection Act (COPPA). Senator Markey was the original House author of COPPA. The bill would prohibit internet companies from collecting personal information on anyone from 13 to 15 years old without the user’s consent. It would also revise the “actual knowledge” standard to one of “constructive knowledge” and create a so-called eraser button to allow for the deletion of personal information. It also establishes a division of the Federal Trade Commission (FTC) to address the privacy of children and minors, as well as marketing directed at children and minors.
Last year around the Facebook hearings in April, Senators Markey and Blumenthal introduced the CONSENT Act, otherwise known as Customer Online Notifications for Stopping Edge-provider Network Transgressions. It required opt-in consent for the collection, sharing and sales of personal information, reasonable security practices, enhanced transparency and breach notifications.
Other Relevant Posts:
Proposed Senate Privacy Bill of Rights Act Includes Private Right of Action
New Senate Privacy Bill: Own Your Own Data Act Summarized
Summary of Latest Senate Bill to Amend COPPA
New Federal Privacy Bill: Commercial Facial Recognition Privacy Act
New Senate Privacy Bill: Digital Accountability and Transparency to Advance (DATA) Privacy Act
Privacy Law News: Senate Banking & Commerce Committees, GAO, California Data Dividend
More Resources:
Read the resources Clarip has posted on the California Consumer Privacy Act (CCPA) and contact us to see a demo of the Clarip privacy management platform used by Fortune 500 clients.
