On April 12, 2019, Senator Edward J. Markey (MA) introduced the Privacy Bill of Rights Act (the “Act”), comprehensive privacy legislation intended to protect individuals’ “personal information,” defined as “information that directly or indirectly identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, a particular individual.” This definition is substantially similar to the definition of “personal information” contained in the California Consumer Privacy Act of 2018. The Act also includes an enumerated list of examples that constitute “personal information” and specifically excludes certain publicly available information from the term.
The Act would require the Federal Trade Commission to promulgate regulations that grant individuals a number of rights (subject to certain exceptions), including the right to (1) receive notice about covered entities’ collection, retention, use, and sharing of individuals’ personal information, (2) condition the collection and use of the individual’s personal information on the individual’s opt-in, (3) access certain details about a covered entity’s data practices with respect to the individual’s personal information, (4) access the individual’s personal information in a portable electronic table, (5) correct inaccurate personal information retained or stored by a covered entity, and (6) request that a covered entity delete the individual’s personal information.
The Act also would require the FTC to promulgate regulations prohibiting covered entities from a number of activities (subject to certain exceptions), including (1) refusing to serve an individual because she did not approve the collection, use, retention, sharing or sale of the individual’s personal information, (2) offering financial incentives in exchange for an individual’s opt-in approval to the entity’s use and sharing of the individual’s personal information, (3) disclosing individuals’ personal information to third parties under a written contract in the absence of certain specified contractual provisions, (4) using personal information for certain “unreasonable” purposes, and (5) collecting personal information beyond what is “adequate, relevant, and necessary” for certain activities.
Under the Act, the FTC regulations also would have to require covered entities to “establish and maintain reasonable data security practices to protect the confidentiality, integrity, and availability of personal information.”
Violations of the Act would be generally enforceable by the FTC as an unfair or deceptive act or practice. Certain entities’ compliance with the Act would be enforced by other regulatory authorities. State Attorneys General also would be able to bring civil actions on behalf of their residents who have been threatened or adversely affected by practices that violate the Act or regulations promulgated thereunder. The Act also grants a private right of action to individuals and states that a violation of the Act with respect to the personal information of an individual constitutes an injury in fact to that individual.