July 4, 2022

Volume XII, Number 185


July 01, 2022

Subscribe to Latest Legal News and Analysis

Congressional Privacy Action – Part 2: The House

The House Bill.  The House is taking a different approach to drafting a federal privacy bill.  On December 18, Democratic and Republican staff for the House Energy & Commerce Committee released a bipartisan staff draft for circulation.  The “staff” in “staff draft” is key – the document does not necessarily reflect the policy positions of Members, particularly committee Chairman Frank Pallone (D-NJ) and Ranking Member Greg Walden (R-OR).  In addition, many key provisions in the staff draft are bracketed, indicating that staff has not reached agreement on those provisions, and they remain unresolved.  Committee staff is seeking stakeholder comments on the staff draft, which will inform their ongoing, bipartisan negotiations.

Unresolved Issues

Among the bracketed provisions in the bill are numerous definitions, including the definition of “covered information” and “sensitive information”.  Of particular note, the scope of web browsing data under the definition of “sensitive information” is unresolved, reflecting similar policy differences on browsing data in USCDPA and COPRA.  Given that the scope of the bill flows from these definitions, the universe of information covered by the draft is still unknown.  This also holds true with respect to the treatment of entities that are already governed by existing sector-specific federal laws and the Communications Act, as the staff draft is entirely bracketed without any proposed language on that front.  Similarly, children’s privacy issues, currently governed by the Children’s Online Privacy Protection Act (COPPA), is also bracketed.  Rep. Bobby Rush (D-IL) has already introduced a bill updating COPPA – as a primary author of his own bill and as a cosponsor of a bill (with a more narrow scope) introduced by Rep. Tim Walberg (R-MI).  And Rep. Kathy Castor [D-FL] is also drafting a standalone bill that will address the existing protections COPPA affords, as well as protections for young teens not currently covered by the law.  Other major provisions that are bracketed without any draft language include preemption of state laws and a federal private right of action, likely reflecting the similar, stark disagreements embodied in the two Senate bills.

Agreed upon Provisions

Within that context of uncertainty, the House staff draft directs the FTC to promulgate a series of rules (under the Administrative Procedures Act) that address familiar themes in the privacy policy sphere.  First, the draft directs the Commission to issue a rule on mandatory privacy policies that covered entities must create and maintain.  In so doing, covered entities with an undetermined (i.e., bracketed) threshold of gross revenue or those holding data on an undetermined number of individuals are required to submit a detailed “privacy filing” and a filing fee (of an undetermined amount) with the FTC.  Like the Senate bills, a privacy protection officer is required to certify the contents of that policy, but it is unresolved whether a senior executive official will be similarly required to do so.  Like COPRA, the House draft also establishes a new Bureau of Privacy.

Unlike either of the Senate draft bills, the House staff draft directs the FTC to promulgate rules that require covered entities to establish and implement a privacy program.  Such a program constitutes “reasonable policies, practices, and proceedings” that the covered entity must adopt to comply with applicable privacy laws, mitigate risks, and appropriately train personnel.  The staff draft directs the Commission to consider numerous factors in its rulemaking, including the size, nature, scope and complexity of the covered entity, as well as the sensitivity of the information.

Similar to the Senate bills, the House staff draft requires covered entities to abide by GDPR-esque obligations that allow consumers to access, correct and delete information retained by covered entities.  This provision does not include data portability requirements, which some policy-makers believe should be treated as more of a competitive issue than a privacy matter. 

The House staff draft is largely an “opt-in” bill insofar there is a general prohibition on covered entities from processing covered information without individual “consent”.  However, requisite consent is implied if the covered entity processes the information in a manner that is “consistent with the reasonable consumer expectations within the context of the interaction between the covered entity and the individual”.  This is largely in accordance with the FTC’s guidance and potentially carves out significant swaths of data processing from express consent.  Notably, unlike USCDPA or COPRA, the House draft explicitly includes first-party marketing as “deemed to be consistent” for implied consent, which the FTC has also previously and generally deemed as an acceptable practice.  However, unresolved is whether individuals would be able to opt-out of such first-party marketing, which is not required under the current FTC framework.  Absent such implied consent, a covered entity is required to “obtain express, written consent” for processing information for most other purposes, including the processing of “sensitive information” (the definition of which, as noted earlier, is largely bracketed).

Lastly, the House staff draft creates a new Bureau of Privacy (like COPRA), as well as a registry for data brokers (like USCDPA).  The House draft also contemplates a cap on civil penalties, both per violation and in total, the latter of which is entirely bracketed in concept.  Under Section 5 of the FTC Act, the cap on civil penalties per violation is $42,530; a cap does not exist on overall civil penalties.

©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume X, Number 29

About this Author

Christian T. Fjeld Vice President Mintz Strategies Lobbying & Public Policy
Vice President

Christian is based in our Washington, DC office and is a Vice President of ML Strategies. He assists a variety of clients in their interactions with the federal government.

Prior to joining ML Strategies, Christian spent nearly 10 years in staff leadership roles with the US Senate’s Committee on Commerce, Science, and Transportation serving Senator John D. Rockefeller IV (D-WV) as the former Chairman, Senator Bill Nelson (D-FL) as the former Ranking Member, and Senator Maria Cantwell (D-WA), the current Ranking Member of the committee. During...

Chris Harvie, Communication Attorney, FCC, Mintz Levin, Communications Privacy & Cybersecurity FCC Regulation Legislative Strategy Cable & Telecom Transactions Franchising & Rights-of-Way Issues

Chris devotes his practice to assisting cable operators, broadband companies, and content providers with a broad range of legal, policy and legislative matters. He represents clients before federal and state agencies, on Capitol Hill, and in court on a variety of communications law issues. Chris’s areas of specialty include privacy, cybersecurity, surveillance law, broadband policy, franchising and access to local rights-of-way, and policy and legislative issues affecting the Internet of Things. As a former committee counsel to the chair of the US Senate Judiciary Committee’s Antitrust,...

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...