On April 8, 2024, the United States proposed a plan to create a bipartisan comprehensive federal privacy law that would be titled, The American Privacy Rights Act of 2024. This is big news: Americans have been waiting for this moment for decades. Although a bill has not yet been formally introduced, there has been a release of a discussion draft for us to examine.
More specifically, the proposed privacy law would establish national consumer data privacy rights and set standards for data security. The discussion draft mentions technologically responsive definitions such as “biometric information”, “algorithm”, “high-impact social media company”, “data broker”, “dark patterns”, “de-identified data”, and “precise geolocation information”, and more.
Application
Any entity that determines the purpose and means of collecting, processing, retaining, or transferring data and is subject to the Federal Trade Commission Act (FTC Act) (including common carriers and some nonprofits) would be covered by the proposed privacy law.
However, small businesses, governments (and entities working on behalf of governments), and the National Center for Missing and Exploited Children would not be covered under the proposed privacy law (but this exception would not apply to data security obligations and fraud-fighting).
With respect to the data involved, information that identifies or is reasonably linked to an individual or device would be data that is covered by the proposed privacy law. Contrastingly, de-identified data, employee data, publicly available information, inferences made from multiple sources of publicly available information that are not “sensitive” data and are not combined with the data that is covered by the law, and information in a library, archive, or museum collection would not be covered by the proposed privacy law.
For clarification purposes, some examples of “sensitive” data covered by the proposed privacy law would include: information such as a government-issued identifier like a social insurance number/social security number; any information that describes or reveals the past, present, or future physical health, disability, diagnosis, or healthcare condition or treatment; genetic information; financial account information; biometric information; precise geolocation information; an individual’s private communications; account or device log-in credentials; calendar information, and intimate images.
Obligations
The following are some of the main obligations that entities that are covered (including service providers) by the proposed privacy law would need to meet:
- Data minimization: entities would have to ensure that they do not collect, process, retain, or transfer data that is beyond what is necessary, proportionate, or limited to provide or maintain a product or service requested by an individual.
- Transparency: entities would have to make publicly available privacy policies detailing their data privacy and security practices, and the consumer rights.
- Data security practices: entities would have to establish data security practices that are appropriate to their size, nature and scope of the data practices, volume, sensitivity of the data, and safeguards. These entities would need to be able to assess vulnerabilities and mitigate reasonably foreseeable risks to consumer data.
- Governance: entities would have to have one or more employees serve as privacy or data security officers (if entities are “large data holders”, they must have both privacy and data security officers).
- Risk assessment: entities that use algorithms in a manner that poses a consequential risk of harm must conduct an impact assessment (if they are “large data holders”, they must provide the assessment to the FTC and make it publicly available).
- Other entities: service providers must adhere to the instructions of the entity that is fulfilling its obligations under the proposed privacy law. Also, data brokers have strict obligations to identify themselves on a public website, provide opt-out rights, and link to the FTC’s data broker registry website.
Prohibitions
Entities would be prohibited from doing any of the following:
- Using dark patterns to divert an individual’s attention from notice that is required by the proposed privacy law or impair the exercise of any right under the proposed privacy law.
- Conditioning the exercise of a right under the proposed privacy law by using false, fictitious, fraudulent, or materially misleading statements or representations.
- Retaliating against individuals for exercising their rights under the proposed privacy law, including denying service or charging different rates for goods and services.
- Collecting, processing, retaining, or transferring data in a manner that discriminates on the basis of race, colour, religion, national origin, sex, or disability (there would be exceptions for self-testing to prevent unlawful discrimination, diversifying an applicant or customer pool, or advertising economic opportunities or benefits to underrepresented populations).
- Transferring biometric or genetic information to a third party without the affirmative express consent of the individual.
Consumer rights
Consumers would have the right to access and correct, delete, or export their data, and to know the name of any third-party service providers to which their data is transferred. Consumers living with disabilities would also have the right to have this information in an accessible format.
In addition, consumers would also have the right to opt out of the use of their personal information for targeted advertising. Targeted advertising means displaying an online advertisement based on known or predicted preferences or interests associated with an individual or device identified by a unique identifier. Consumers would also be able to opt out of the transfer of their data.
Another thing to mention is that consumers would have the right to opt out of consequential decisions involving using algorithms for decisions related to housing, employment, education, health care, insurance, credit, or access of public accommodation.
Enforcement
Under the proposed law, entities would be subject to the FTC Act and the Federal Trade Commission (FTC) would be able to enforce the proposed privacy law since any violations of the proposed law would constitute an unfair or deceptive practice under the FTC Act. In fact, the FTC would be required to establish a new bureau that is comparable to the Bureaus of Consumer Protection and Competition to carry out its obligations under the proposed privacy law.
In addition to the FTC, States Attorneys General, chief consumer protection officers, and other officers of a State in Federal District Court would be authorized to enforce the proposed law. In this context, States would be able to seek injunctive relief, civil penalties, damages, restitution, or other consumer compensation (including fees and costs) as would be appropriate in the circumstances. That said, these entities would have to notify the FTC before initiating any of these actions under the proposed privacy law.
What is more, it is very important to note that this proposed privacy law would include the right of individual consumers to bring private lawsuits against any entities that they feel have violated their privacy rights under the proposed privacy law. These consumers could sue for damages, injunctive relief, declaratory relief, and reasonable fees and costs. However, any of the monetary amounts that are awarded by a court would have to be offset with respect to the same violations handled by the FTC or State action.
Another point that must be made is that State privacy laws would be preempted by the proposed federal privacy law—with some exceptions. A person may bring an action and recover statutory damages consistent with Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act where violations where the conduct occurred substantially and primarily in Illinois. Along the same lines, persons who are residents of California may recover statutory damages consistent with the California Privacy Rights Act for actions involving breaches.
There are other State laws that would be preempted with the exception of the following laws:
- Consumer protection laws
- Civil rights laws
- Provisions of laws that address the privacy of employees
- Provisions of laws concerning the privacy of students
- Provisions regarding data breach notifications
- Contract or tort laws
- Criminal laws unrelated to data privacy
- Criminal and civil laws regarding cyberstalking and blackmail
- Public safety laws unrelated to privacy
- Provisions of laws that address public records
- Provisions of laws dealing with banking and financial records
- Provisions of laws concerning electronic surveillance and wiretapping
- Provisions of laws that deal with unsolicited email and phone
- Provisions of laws regarding health care, health information, and medical information
- Provisions of laws dealing with the confidentiality of library records
- Provisions of laws tackling encryption
When it comes to federal laws, laws that address information security breaches of common carriers and antitrust laws would not be limited by the proposed privacy law, except where specified in the proposed law. Additionally, entities that are in compliance with other specified federal laws would be deemed to be in compliance with the related provisions of the proposed privacy law, namely the Gramm-Leach-Biley Act, HIPAA, and federal data security provisions. And it is worth noting that the Children’s Online Privacy Protection Act would not be changed by the proposed privacy law.
Commencement
If this proposed privacy law makes it all the way through the legislative process, it would be effective 180 days after it is enacted.
What can Canada take from this development?
As most are aware, PIPEDA, the federal privacy bill that deals with privacy in the Canada’s consumer context, was made in the year 2000. It is dated and tired. Bill C-27 is not quite there, but there was an adequate first attempt (with good intentions). Perhaps Canadians can expect some good news on that front now that other progressive jurisdictions are pushing through to enact meaningful privacy protections..
As for the United States, this proposed federal privacy law would be the first of its kind. That said, there were previous attempts, namely HR 8152, American Data Privacy and Protection Act that was introduced in the 117th Congress (2021–2022 session), but it did not move past the Committee on Energy and Commerce.
Perhaps this is the year—for both countries.
- A closer look at the decision: Google abused its monopoly power - August 28, 2024
- How does ISO/IEC 42001 impact AI governance? - July 19, 2024
- Privacy Commissioner launches investigation into 23andMe data breach - June 20, 2024
Leave a Reply