In the aftermath of the Facebook-Cambridge Analytica data privacy controversy, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced a federal data privacy bill on April 10, 2018 titled the Customer Online Notification for Stopping Edge-provider Network Transgressions Act, or the CONSENT Act (the “Act”). While the Act is unlikely to pass in the near term given the lack of a Republican sponsor, it reflects increasing attention to privacy concerns in the United States, including consideration by both federal and state legislatures of significantly more prescriptive privacy requirements.
The Act would apply to “edge providers,” which is defined broadly enough to capture not only the data giants such as Facebook, but effectively any online website operator or mobile application that collects personal data. As its name suggests, the Act would require consent—affirmative, express, opt-in consent by a user, allowing the edge provider to use or disclose sensitive user data. Imposing such a consent requirement would upend the status quo in the United States, in which most companies have typically relied on broadly drafted online privacy policies to process personal data they have collected, a practice that is permitted in most industries so long as a company’s practices do not conflict with the representations made in its policies.
The proposed legislation is almost certainly inspired by the European Union’s General Data Protection Regulation (“GDPR”), which came into effect on May 25. In particular, imposing an informed, specific, affirmative and express opt-in requirement would mimic the GDPR’s construct of consent (i.e., “a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data”). However, the Act, at a short 15 pages as compared to the GDPR’s 88 pages, is focused primarily on user consent and lacks the robustness of the GDPR, which has an extensive suite of requirements covering a range of privacy and information security matters; instead, the Act delegates the drafting of further regulations to the Federal Trade Commission (“FTC”).
In particular, the Act would affirmatively require edge providers to notify users, at the time a user initially engages with the edge provider, of the types of information collected, how and for what purposes the information is shared, and the types of entities with which it is shared. Companies do not currently have such a disclosure obligation at the federal level (though some may already be in compliance with the California Online Privacy Act, which imposes similar notice requirements on website operators collecting the data of California residents).
Currently, U.S. companies in most industries (healthcare providers and financial institutions are notable exceptions) rely on previous FTC enforcement orders for somewhat piecemeal guidance on acceptable practices with respect to user consent to processing of data. In contrast, the Act would impose more concrete requirements, though it is not clear whether it would necessarily provide for more assertive regulatory enforcement. The Act would keep enforcement power primarily with the FTC (though such authority is shared with state attorneys general, as well as other relevant federal agencies with respect to certain industries), and it would maintain the FTC’s current regulatory authority to act against “unfair or deceptive acts or practices” in the same manner as it currently does. However, the FTC cannot impose monetary penalties in the first instance; it is generally only able to impose such penalties for later violations of a standing consent order. Therefore, unlike the GDPR (for which fines can be up to 4% of global annual turnover for the preceding fiscal year, or €20,000,000; see our post Administrative Fines Under the GDPR for more details), the Act would not appear to provide federal regulators with a comparable stronger financial deterrent to misconduct. State attorneys general, however, would be able to bring civil actions on behalf of residents of their states in district court to enforce the Act and obtain damages, restitution or other compensation.
The Act would also require the FTC to promulgate regulations imposing a federal data breach notification obligation that would require edge providers to notify an affected user of a security breach. Currently, each U.S. state has its own data breach notification law; see our post All 50 States Now Have Data Breach Notification Laws.
The very public and high profile allegations against Facebook have led to more discussion about data privacy than ever before within the United States. However, while the Act is significant as a piece of proposed legislation that would considerably change the U.S. data privacy regime, it is unlikely to pass given its lack of a Republican sponsor. Notably the Act is not the only solution suggested by U.S. legislators in the aftermath of the events surrounding Facebook. A separate bipartisan bill was also introduced by Senators Amy Klobuchar (D-Minn.) and John Kennedy (R-La.) called the Social Media Privacy Protection and Consumer Rights Act, which shares some features with the Act (e.g., primary enforcement by the FTC, required disclosures of privacy practices) but only gives users the right to opt out of a company’s data processing, rather than placing the onus on a company to obtain affirmative user consent. This proposed legislation would also require appropriate data breach notifications to be made within 72 hours of a company becoming aware of a data breach, which is the same, very specific and short timeframe set forth under the GDPR. However, both the Act and the Social Media Privacy Protection and Consumer Rights Act have stalled since being introduced in the Senate in April. Some commentators have speculated that the steps taken by companies in connection with GDPR implementation may lessen the momentum in the U.S. to mandate stronger protections, even though many companies likely will not provide the full GDPR protections required for EU residents to U.S. residents. On the other hand, the GDPR may illustrate that greater privacy protections are manageable from both a technical and a business perspective, and also influence industry best practices that can serve as a benchmark for companies, regulators and even enforcement agencies.
To view the text of the Act, please see here.