TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

United States Privacy Digest | Notes from the IAPP Publications Editor, Dec. 14, 2018 Related reading: FTC proposes $1.5M fine for violation of Health Breach Notification Rule



Greetings from Portsmouth, NH!

I don't know about you, but with year's end just around the corner, it feels like a mad dash to tie up loose ends, wrap up year-long projects, and, well, scramble to complete all those last-minute, holiday errands. It's hard to believe 2018 is already coming to a close, but, hey, 2019 could bring a lot of promise. 

What remained clear this week, no doubt, is that there will be continued discussion and lobbying in 2019 about a potential federal privacy law in the U.S. Just weeks removed from all the comments supplied to the U.S. National Telecommunications and Information Administration, two notable draft privacy frameworks came out this week. 

On Wednesday, Sen. Brian Schatz, D-Hawaii, and 14 Democratic senators proposed the Data Care Act. Unlike most, if not all, federal privacy bills that preceded it, the Data Care Act would establish a duty of care, loyalty and confidentiality for online companies in relation to personal information. As Sen. Maggie Hassan, D-N.H., characterized it, "Online service providers should be required to act in the best interests of their customers, just like providers of other critical services." 

Schatz said not enough attention has focused on "what happens after the data has been collected." In an interview with TechCrunch, Schatz said the bill aims to provide a general shape of the duties while authorizing the FTC to decide on the details. He wants to avoid a prescriptive mandate, and rather, "lay down broad principles and then empower an expert agency." 

It should be noted, however, all 15 of the senators backing the bill are Democrats. Will Republicans even consider something like this? And what about industry?

In an email exchange, Wiley Rein Partner Kirk Nahra said that there are "some useful concepts in here," but he suspects "a true fiduciary duty is a real long shot." I'm curious to hear what our readers think about a duty of care concept. Is this a seed of a practical way of regulating privacy in the digital age? Or is it absurd? Maybe somewhere in between? 

Nahra also said the Data Care Act is part of the larger trend in the U.S. regulatory landscape right now. "Pretty much everything we are seeing at this point is planting stakes in the ground for interested audiences." 

This is true. We've seen Intel recently offer up a draft position, and this week, they were joined by the Center for Democracy & Technology. The CDT wants to move beyond the traditional "notice-and-choice" paradigm by aiming to prohibit "data processing that is presumptively unfair." This would include practices that would surprise users or practices that make it nearly impossible for the user to avoid, as well as other secondary uses. The CDT's proposal would also prohibit "deceptive practices, such as dark patterns designed to coerce or confuse users into providing their consent." I think Prof. Woody Hartzog would approve. 

They offer a lot more, so if you're interested, I recommend you check them out, and while you're at it, check out Intel's as well. Both organizations want feedback. 

Though there's a lot of uncertainty going into 2019, these coming months will be a crucial time to get involved in the conversation that may well help craft a federal privacy law that could have profound effects on your business's operations. 


If you want to comment on this post, you need to login.