Understanding the Data Care Act
This bill was introduced to establish duties for online service providers with respect to end user data that such providers collect and use. This bill was re-introduced by U.S. Senator Brian Schatz (D-HI), having been previously introduced during the 2017-2018, and 2019-2020 legislative sessions. This legislation was introduced on March 23, 2021. Since its introduction, it has been read twice and referred to the Committee on Commerce, Science, and Transportation. Before becoming the law of the land, this bill would need to receive a majority vote in the Senate, a majority vote in the House, and then be signed by the President. Alternatively, if the President vetoes the bill, his veto could be overridden and the bill passed if each chamber of Congress passed the bill with a 2/3 vote in support.
What it Does
What this bill would do is impose duties of care, loyalty, and confidentiality upon “online service providers” in relation to the “individual identifying data” that they hold about “end users”. This bill uses several defined terms. Online service providers are entities that are “engaged in interstate commerce over the internet or any other digital network” and “in the course of business, collect individual identifying data about end users”. These end users are individuals who engage “with an online service provider or log into or use services provided by the online service provider over the internet or any other digital network.” The individual identifying data referenced is “any data that is – (A) collected over the internet or any other network; and (B) linked, or reasonably linkable to – (i) a specific end user; or (ii) a computing device that is associated with or routinely used by an end user.”
Duty of Care
This bill propounds a two-fold Duty of Care: protect end user individual identifying data and when that protection fails to protect their sensitive data, notify the end user of breaches in the protection of their sensitive data. Notice that there are two different types of data under discussion here: individual identifying data and sensitive data. This bill would require notifying end users when their sensitive data was unauthorizedly accessed, but not necessarily when their individual identifying data was unauthorizedly accessed. Sensitive data is a subset of individual identifying data and is specifically defined as data that includes: social security number, personal information collected from a child, government issued identification numbers, financial account numbers, access codes that would permit access to an individual’s financial account, unique biometric data, information that would allow someone to access an individual’s account, the user’s name in combination with the date of birth, mother’s maiden name, or the past or present precise geolocation of the individual, information that relates to the past, present, or future physical or mental health of an individual, the provision of health care to an individual, or the nonpublic communications or other nonpublic user-created content of an individual. Whenever any of that sensitive data is accessed by an unauthorized party, as a result of a breach of the online service provider’s duty to protect it, they must notify the end user whose data was accessed. The bill also delegates the authority to the Federal Trade Commission (FTC) to determine whether breach notification is necessary for other types of data besides just sensitive data.
Duty of Loyalty
This bill also places a Duty of Loyalty upon online service providers. The duty of loyalty requires that online service providers “may not use individual identifying data, or data derived from individual identifying data in any way that – (A) will benefit the online service provider to the detriment of an end user; and (B)(i) will result in reasonably foreseeable and material physical or financial harm to an end user; or (ii) would be unexpected and highly offensive to a reasonable end user.” To breach the duty of loyalty, the online service provider would need to use individual identifying data for their own benefit AND to the detriment of an end user AND the use would either result in reasonably foreseeable, material, physical or financial harm to an end user or would be unexpected and highly offensive to a reasonable end user. This is a difficult standard to breach. This gives online service providers lots of leeway to use end user data without breaching the duty of loyalty.
Duty of Confidentiality
The bill also imposes a Duty of Confidentiality upon online service providers. Under the requirements of this duty, online service providers may not disclose individual identifying data to any other person except as would be consistent with the duties of care and loyalty above. They may not disclose individual identifying data to any other person unless that person enters into a contract with the online service provider that imposes upon this new person the same duties of care, loyalty, and confidentiality that the online service provider is required to adhere to. Beyond just a contract, the online service provider is required to take reasonable steps to ensure that this new person fulfills the duties of care, loyalty, and confidentiality that they have contracted to fulfill, including by auditing, on a regular basis, the data security and data information practices of this new person.
Application of Duties
These duties: care, loyalty, and confidentiality also independently apply to third parties to whom the online service provider transfers the individual identifying data. Remember that online service providers have to enter into a contract with any person to whom they disclose individual identifying data, in order to contractually impose upon this new person the same duties of care, loyalty, and confidentiality that the online service provider was subject to. This means that this new person would be bound both by this bill and separately through contract to exercise a duty of care, loyalty, and confidentiality with end user individual identifying data.
This appears to impose a duty of care, loyalty, and confidentiality upon anyone interacting with the individual identifying data. However, the bill leaves open the possibility of the FTC providing exceptions for online service providers or recipient third parties. In determining these exceptions, the bill requires the FTC to consider the privacy risks posed by the use of individual identifying data based on the size of the provider or person, the complexity of the offerings of the provider or person, the nature and scope of the activities of the provider or person, and the sensitivity of the consumer information handled by the provider or person AND the costs and benefits of applying these requirements to such entities.
The provisions of this bill would be enforced by the FTC with violations being treated as unfair or deceptive acts or practices. The FTC also has rulemaking authority to continue fleshing out this bill. As previously mentioned, the FTC can modify the Duty of Care to require breach notification not just when sensitive data has been unauthorizedly accessed, but when other categories of data have been unauthorizedly accessed. The FTC can also determine which categories of online service providers and third parties are exempt from fully complying with this proposed law as outlined in the previous paragraph. This rulemaking authority would be vested in the FTC, but enforcement responsibility would be shared with the states. State attorney generals and other authorized state officials would be able to file suit on behalf of residents of their states if regulated entities were to violate this proposed law.
Data Care Act in Relation to State Law
A very important point to note regarding this bill is that it would not pre-empt other related federal or state laws. This bill would work side-by-side with CCPA and VCDPA. It only has the possibility of expanding data privacy rights, not contracting them. It certainly would expand data privacy rights in the vast majority of states which do not have comprehensive data privacy laws. It is an open question though as to how much expansion it would provide.
The duty of care consists of two parts: protecting individual identifying data and notifying end users about breaches of their sensitive data. Generally speaking, the requirement to notify is already in place with existing data breach notification laws (which exist in every state in the country). The duty to protect the individual identifying data is more of an expansion. The duty of care does expand data privacy rights even as compared to CCPA and VCDPA.
The duty of loyalty is generally new (though provisions in CCPA and VCDPA work towards the same effect). However, the duty of loyalty imposes many burdens of proof on any plaintiff/prosecutor asserting a violation of the Data Care Act.
The Weakness of the Duty of Loyalty
First, to prove a violation of the duty of loyalty, the use of the data would have to benefit the online service provider to the detriment of the end user. The use of the data can be beneficial to the online service provider in many ways. They may sell the data for value. They may target advertisements at the individual, increasing their advertising ROI. Proving that the use was detrimental to the end user will often be more difficult. Is it detrimental that another company knows about your shopping habits? Is it detrimental that you are seeing more shoes in a style that you like? These are harder questions. Furthermore, it isn’t enough merely to establish that there is a benefit for the online service provider and a detriment to the end user.
The use needs to also reach an additional threshold. It needs to either be something unexpected and highly offensive to a reasonable end user or it needs to be something that would result in reasonably foreseeable material physical or financial harm to an end user. The more sequential qualifications there are in place, the easier to it is to escape liability by poking a hole into any one of them. After already going through the trouble of establishing that the online service provider (1) benefited and the end user suffered a correspondent (2) detriment, it is also necessary to prove that the use of the data was (3a) unexpected and (4a) highly offensive. Alternatively, in addition to the (1) benefit and (2) detriment determination, it would be necessary to prove that the use of the data would result in (3b) reasonably foreseeable material (4b) physical or financial harm.
Most of the elements are qualitative, meaning there will often be room for argument about whether they have been met. Physical and financial harms are generally more concrete, but they can still be difficult to prove.
The bottom line is that the duty of loyalty is the weakness in the bill. It is questionable how much data privacy protection it provides.
The duty of loyalty in the Data Care Act is not already encompassed in the CCPA and VCPDA, so the duty of loyalty (though frail) would offer some limited additional expansion of privacy rights.
The duty of confidentiality requires that online service providers take steps to ensure that third parties comply with the duties, including through use of regular audits. This is an expansion of data privacy rights beyond what is offered by the CCPA and VCDPA.
The duty of care requires online service providers to protect individual identifying data and notify end users about breaches of their sensitive data.
Taken all together, the duties of care and confidentiality provide extra data privacy protection. The duty of loyalty provides some extra data privacy protection in limited circumstances.
In our previous article on the Information Transparency and Personal Data Control Act, we looked at the impact of a federal privacy law that would pre-empt state privacy laws. Our present circumstance is very different in the absence of pre-emption and leads to very different outcomes.
The Data Care Act wouldn’t take any privacy rights away, it would only add data privacy rights. In this way, it is of greater benefit to end users. Persons in California would still retain the benefits of the CCPA, they would also get the added benefit of the protections that the Data Care Act provides. The Data Care Act would automatically impose obligations on vendors and third parties who receive data from online service providers, the CCPA doesn’t. The Data Care Act would also require online service providers to regularly audit the data privacy protections of their vendors and third parties, which the CCPA does not. Similarly, the Data Care Act would grant additional data privacy protections to Virginia residents beyond the VCDPA.
For businesses, the Data Care Act does complicate things a little bit. It would represent another, separate data privacy law to comply with. Online service providers need to think about all of the third parties to whom they disclose individual identifying data. They need to include additional terms in the contracts related to data privacy protection. They also need to notify end users about sensitive data breaches (and possibly certain categories of individual identifying data.) Both of these compliance points are well within Clarip’s wheelhouse. Clarip’s Data Risk Intelligence Scan and Vendor Management platforms allow our clients to see their data flows. Using our Vendor Management platform, clients could stop the flow of individual identifying data to vendors until they sign the updated contract indicating that they will treat the data with the same duties of care, loyalty, and confidentiality that our clients would be subject to. Our Data Risk Intelligence Scan checks to see exactly what data is going where. Clarip can help you determine what data was potentially exposed if a vendor suffered a breach and whether or not the data was sensitive data or potentially other data types requiring breach notification as the FTC may decide.
The world of data privacy is always changing and lots of the changes make a big splash. Clarip is here to break the waves and keep your company compliant. Whether you need to be ready for the next big legislation or just need to manage data subject request fulfillment and data mapping, Clarip is here for you. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.