There has been a tremendous uptick in the amount of data privacy legislation introduced in Congress over this past year. On April 12, U.S. Sen. Ed Markey, D-Mass., introduced the “Privacy Bill of Rights Act,” one of the most comprehensive pieces of data privacy legislation in the U.S.

The act, also referred to as S.1214, provides certain protections and rights for data subjects. One does not need to look any further than the EU General Data Protection Regulation and the California Consumer Privacy Act to understand the guiding principles behind the Privacy Bill of Rights Act. Transparency, consent and control over one’s personal data are themes that are strongly interwoven throughout the GDPR and CCPA and are also observed throughout the act.

The act's definition of 'covered entity' and 'personal information' are broad

The act defines “covered entity” as any person who collects or otherwise obtains personal information. Information that directly or indirectly identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to a particular individual is referred to as “personal information.”

It also provides some examples of what qualifies as personal information, which includes, but is not limited to the following:

  • A real name, alias or signature.
  • Date of birth, gender identification or sexual orientation.
  • Marital status, physical characteristic or description.
  • Postal address, telephone number or unique personal identifier.
  • Online identifier, Internet Protocol address or email address.
  • Social Security number, driver’s license number or passport number.
  • Employment history, bank account number or credit/debit card number.
  • Financial information, medical/health insurance information or mental health information.
  • A record of personal property, income, assets or leases.
  • Products or services purchased, obtained or considered.
  • Rentals, other purchasing or consuming history.
  • Biometric data (e.g., retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry).

Certain large tech companies will be impacted by the act's definition of 'personal information'

The large technology companies are also being put on notice, as the definition of personal information will clearly have an impact on how they conduct business with consumers. The act appears to provide certain protections for individuals as related to profiling by companies, as it includes the following regarding profiling: if an inference can be drawn from any of the personal information, which is defined in the proposed legislation, and a profile is then able to be created then that too would fall under the personal information definition. Specifically, the act includes a profile “about an individual reflecting the individual’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes.”

Enforcement of the Privacy Bill of Rights Act

The proposed legislation sets forth that the U.S. Federal Trade Commission shall be the primary regulator of the act. Once enacted, the FTC is required to promulgate regulations within one year. The FTC has rulemaking authority to “protect the individual and collective privacy rights” that are enumerated in the legislation.

The legislation also allows for state enforcement. State attorneys general can bring a civil action on behalf of their residents against a covered entity that has violated the act or a regulation that has been promulgated from it.

The state attorney general must provide written notice to the FTC prior to the filing of an action, as well as a copy of the complaint. However, if the FTC institutes an action first, then the state attorney general may not institute their own action during the pendency of the FTC’s action for the following criteria: “against any defendant named in the complaint in the action instituted by the FTC based on the same set of facts giving rise to the violation with respect to which the FTC instituted the action.”

Individuals will also have the ability to bring a private right of action for any violation or regulation promulgated under the act “in any court of competent jurisdiction.” A violation, as it pertains to an individual’s personal information, “constitutes an injury in fact to that individual.”

If the individual prevails in its private action, the act states that the court “may award actual damages, punitive damages, reasonable attorney’s fees and costs and any other relief, including an injunction that the court determines appropriate.”

The legality and enforceability of pre-dispute arbitration agreements

It is common practice for companies to include boilerplate pre-dispute arbitration clauses in the contractual language of customer agreements. The act challenges the legality and enforceability of these pre-dispute arbitration agreements, “Notwithstanding any other provision of law, no pre-dispute arbitration agreement shall be valid or enforceable with respect to a dispute between a covered entity and an individual that relates to a violation of this Act or a regulation promulgated under this Act.”

The act further states that it is up to a court to determine whether the “validity and enforceability of an agreement to which this subsection applies shall be determined by a court, rather than an arbitrator, irrespective of whether the agreement purports to delegate such determinations to an arbitrator.”

The act prohibits 'take-it-or-leave-it' and financial incentives

The act prohibits covered entities from refusing to serve an individual “… who does not approve the collection, use, retention, sharing, or sale of the individual’s personal information for commercial purposes on the basis of that lack of approval (commonly known as a 'take-it-or-leave-it-offer').”

The proposed legislation also prohibits covered entities from offering financial incentives or discounts in exchange for the opt-in approval of the individual to the use and sharing of the individual’s personal information. However, the act does allow the FTC the discretion to exempt a particular type of financial incentive if the FTC “determines that the type of financial incentive, as offered by the covered entity, is reasonable, just, and non-coercive.”

The act provides individuals with the right to notice

Under the proposed legislation, the FTC will require covered entities to provide individuals with a right to notice by developing and making available a short-form notice that relates to the collection, retention, use and sharing of the personal information of individuals by the covered entity. Short-form notice requirements for covered entities should be clear, concise, well-organized and should not contain unrelated, confusing or contradictory materials. It should also be in a format that is prominent and easily accessible, of reasonable length, and clearly distinguishable from other matters.

The act also requires data minimization and data security

The FTC also requires covered entities to adhere to policies and practices of data minimization. Moreover, the collection of an individual’s personal data should not exceed what is adequate, relevant and necessary for such things as the performance of a contract or for providing the requested product or service.

Furthermore, the FTC will also require covered entities to ensure data security with respect to the individual’s personal information. The covered entity will be required to “establish and maintain reasonable data security practices to protect the confidentiality, integrity, and availability of personal information.”

Photo by Anthony Garand on Unsplash