On December 18, 2019, the House Energy and Commerce Committee released a bipartisan staff-level draft privacy bill (“the bill”). While comprehensive in scope, much of the key language in the bill was left in brackets, meaning the two sides have not yet reached a compromise on final language.
The bill would create a new Bureau of Privacy within the Federal Trade Commission to enforce the bill and an Office of Business Mentorship to assist companies with compliance. It would also provide enforcement authority for state attorneys general, and would provide the FTC with significant rulemaking authority and the ability to levy fines for initial violations of the bill. However, it leaves sections on key issues like preemption and private rights of action in brackets, to be resolved at a later date.
The key sections of the bill that are not currently in brackets would:
- provide individuals with several new privacy rights, including the rights to access, delete and correct their data;
- require companies to maintain privacy policies and for large companies to provide annual filings to the FTC, including the results of an internal risk assessment and the measures taken to address those risks;
- require companies to implement a privacy program and establish reasonable policies, practices and procedures for the processing of covered data. It would also require larger companies to have a designated privacy protection officer;
- require express affirmative consent for the processing of covered data unless the processing is “consistent with the reasonable consumer expectations within the context of the interaction between the covered entity and the individual.” It specifically notes that express affirmative consent is required for all processing of sensitive information, and that consent must be given separately for each use of information;
- prohibit certain practices such as obtaining covered information by false pretenses and processing biometric information to identify an individual;
- require that companies not keep or store data for longer than is reasonably necessary for the purpose for which the data was processed;
- impose safeguards on data transferred to processors and third parties that limits further use of that data;
- require companies to implement reasonable data security “policies, practices and procedures to protect and secure covered information against unauthorized access and acquisition”;
- exclude de-identified information from the definition of covered information; and
- require data brokers to disclose publicly that they are data brokers and register with the FTC.
However, in addition to preemption and the private right of action, the following provisions remain in brackets and are not yet finalized:
- the list of exceptions for when consent is not required to process covered data and how to treat pseudonymized and publicly available information;
- the specific thresholds (such as annual revenue and amount of data processed) for enhanced requirements for large companies;
- the sections where the FTC does and does not have rulemaking authority;
- an entire sub-section on opt-out requirements for the processing of covered information for first-party marketing purposes;
- an entire section on the prohibition of discriminatory use of data;
- an “Additional Prohibitions” section which includes prohibitions conditioning the provision of a product or service on an agreement to waive rights granted by the bill and a prohibition on financial incentives for waiving those rights;
- the size of the new FTC Bureau of Privacy; and
- several definitions, such as covered information, de-identified information, health information, information broker, pseudonymized information, sell and sensitive information.