Key GOP senator’s privacy bill includes some new wrinkles like “implicit consent,” and still prohibits private right of action; would it also outlaw “real-time bidding”?
Congress continues to struggle to create a passable federal privacy act. The GOP has generally adopted an advertising and tech industry line in the sand — only the U.S Federal Trade Commission (FTC) or state attorneys general can sue to enforce data privacy, and all state laws in the area should be preempted.
Here are key features of the “Consumer Data Privacy and Security Act,” as introduced this week by U.S. Sen. Jerry Moran, R-Kan.
- Allows attorneys general to enforce law with suits but they have to give the FTC 10 days notice before filing and if the FTC decides to sue instead, they can’t. Also, they can’t sue anyone already being sued under the law by the FTC.
- Pre-emption of all existing state data-privacy laws (this would include California and Virginia)
- No private right of action.
OPT IN CAN BE “IMPLICIT”
Notice of a request to collect or process personal data must be in a “concise, meaningful, timely, prominent and easy-to-understand format that includes the types of personal data” and a purpose for the collection or processing.
Three provisions would appear to put the advertising-technology practice of “real time bidding” in legal jeopardy without extensive opts-in by consumers to many parties. They appear to suggest that only the website or network placing the ads can acquire or use personal data without the user’s knowledge. Others in the RTB chain would have to either obtain their own permission or the first party — with which they have a contract — would have to have disclosed and obtained consent for their involvement.
- First, the bill appears to require that a consumer “opt-in” to the collection of personal data for purposes other than for internal operations to complete a transaction the user has initiated, such as buying something online, billing, shipping, diagnostics, accounting or network management.
- Second, internal operational or short-term transient purposes not requiring explicit consent cannot apply to third-party data users, and cannot be “used to build a persistent profile of the individual.”
- Finally, “operational purposes” not requiring user permission does not apply to personal data collected for advertising or marketing purposes unless it is collected “directly” by a first party or a third-party that has a contract with the first party.
“IMPLICIT” CONSENT IS PROPOSED
In a seemingly unique twist, the proposal allows for explicit as well as “implicit consent.”
“. . . [A]n individual shall be deemed to have consented to a request to collect or process the individual’s personal data if the individual fails to decline the request after being provided with notice described in paragraph (2) and a reasonable amount of time to respond to the request.”
Thus if a user comes to a page with a request to collect data, and fails to take an action to agree or reject, the proposal allows that to be taken as consent. This would PROBABLY not be legal under European Union law, which requires an explicit action of consent. However, the “implicit” consent would not be sufficient for “sensitive personal data.” (BILL, pg. 16-17)
- The bill also:
- Defines data collection as including “acquiring personal data by any means, including by receiving, purchasing or leasing the data or observing or interacting with the individual to whom the data relates.” This would appear to make what Facebook does with user data a form of “collection” by the advertiser. (BILL, pg. 2)
- Defines “de identification as requiring a public commitment “to refrain from attempting to re-identify the data with a specific individual, and adopts controls to prevent such identification” and also requires action to forbid third parties “from attempting to use the data to identify a specific individual and requires the same of all onward disclosures.” (BILL, pg. 4)
- Defines “personal data” as information “that identifies or is linked or reasonably linkable to a specific individual.” Then, “reasonably linkable” is defined as “if it can be used on its own or in combination with other information held by, or readily accessible to, the covered entity or service provider to identify the individual.” (BILL, pg. 5)
- It defines “persistent identifiers” to include a static IP address, a customer number in a cookie, a device or processor serial number or other unique device identifier — as being “reasonably linkable” to an individual. (pg 5-6). This would appear to rule out all of the end runs around cookies collectively defined as “fingerprinting.”
- “Sensitive personal data” includes government IDs (license, SSN, passport, TIN as well as a user name when it is acquired in combination with a password or security question answer. It also applies broadly to health and financial records, including credit/debit card numbers “if combined with an access code, password or credentials that provide access to such an account.” Also deemed sensitive: Information about race, ethnicity, religious beliefs or affiliation, sexual orientation, and geolocation information more precise than a zip code, street, town or city. (BILL, pg. 9-10)
- So-called “small businesses” are exempt if they are below all of a set of threshholds including not more than 500 employees, $50M a year in revenues, annual processing of personal data of one million individuals or sensitive personal data of 100,000 individuals. (BILL, pg. 12)
Author: Bill Densmore