Congressional Privacy Action – Part 2: The House
The House Bill. The House is taking a different approach to drafting a federal privacy bill. On December 18, Democratic and Republican staff for the House Energy & Commerce Committee released a bipartisan staff draft for circulation. The “staff” in “staff draft” is key – the document does not necessarily reflect the policy positions of Members, particularly committee Chairman Frank Pallone (D-NJ) and Ranking Member Greg Walden (R-OR). In addition, many key provisions in the staff draft are bracketed, indicating that staff has not reached agreement on those provisions, and they remain unresolved. Committee staff is seeking stakeholder comments on the staff draft, which will inform their ongoing, bipartisan negotiations.
Among the bracketed provisions in the bill are numerous definitions, including the definition of “covered information” and “sensitive information”. Of particular note, the scope of web browsing data under the definition of “sensitive information” is unresolved, reflecting similar policy differences on browsing data in USCDPA and COPRA. Given that the scope of the bill flows from these definitions, the universe of information covered by the draft is still unknown. This also holds true with respect to the treatment of entities that are already governed by existing sector-specific federal laws and the Communications Act, as the staff draft is entirely bracketed without any proposed language on that front. Similarly, children’s privacy issues, currently governed by the Children’s Online Privacy Protection Act (COPPA), is also bracketed. Rep. Bobby Rush (D-IL) has already introduced a bill updating COPPA – as a primary author of his own bill and as a cosponsor of a bill (with a more narrow scope) introduced by Rep. Tim Walberg (R-MI). And Rep. Kathy Castor [D-FL] is also drafting a standalone bill that will address the existing protections COPPA affords, as well as protections for young teens not currently covered by the law. Other major provisions that are bracketed without any draft language include preemption of state laws and a federal private right of action, likely reflecting the similar, stark disagreements embodied in the two Senate bills.
Agreed upon Provisions
Unlike either of the Senate draft bills, the House staff draft directs the FTC to promulgate rules that require covered entities to establish and implement a privacy program. Such a program constitutes “reasonable policies, practices, and proceedings” that the covered entity must adopt to comply with applicable privacy laws, mitigate risks, and appropriately train personnel. The staff draft directs the Commission to consider numerous factors in its rulemaking, including the size, nature, scope and complexity of the covered entity, as well as the sensitivity of the information.
Similar to the Senate bills, the House staff draft requires covered entities to abide by GDPR-esque obligations that allow consumers to access, correct and delete information retained by covered entities. This provision does not include data portability requirements, which some policy-makers believe should be treated as more of a competitive issue than a privacy matter.
The House staff draft is largely an “opt-in” bill insofar there is a general prohibition on covered entities from processing covered information without individual “consent”. However, requisite consent is implied if the covered entity processes the information in a manner that is “consistent with the reasonable consumer expectations within the context of the interaction between the covered entity and the individual”. This is largely in accordance with the FTC’s guidance and potentially carves out significant swaths of data processing from express consent. Notably, unlike USCDPA or COPRA, the House draft explicitly includes first-party marketing as “deemed to be consistent” for implied consent, which the FTC has also previously and generally deemed as an acceptable practice. However, unresolved is whether individuals would be able to opt-out of such first-party marketing, which is not required under the current FTC framework. Absent such implied consent, a covered entity is required to “obtain express, written consent” for processing information for most other purposes, including the processing of “sensitive information” (the definition of which, as noted earlier, is largely bracketed).
Lastly, the House staff draft creates a new Bureau of Privacy (like COPRA), as well as a registry for data brokers (like USCDPA). The House draft also contemplates a cap on civil penalties, both per violation and in total, the latter of which is entirely bracketed in concept. Under Section 5 of the FTC Act, the cap on civil penalties per violation is $42,530; a cap does not exist on overall civil penalties.