For those not following every detail regarding the progress of the “three corners” federal privacy bill, here’s a summary of where things stand.
In brief, on June 23, the House E&C Consumer Protection Subcommittee held a markup during which it considered a substitute version of the bill (HR 8152), approved it by voice vote, and forwarded it to the full E&C Committee for consideration. The amended bill contains a host of changes, many of which push it in a more business-friendly direction. Senate Commerce Chair Cantwell is more critical of the bill than ever, and has told the media that she won’t take it up in the Senate without substantial improvements. Meanwhile, the FTC, not to be forgotten, released another notice stating that it intends to launch its “commercial surveillance” rule in June 2022. (Yeah, this month.)
That may be all that many of our readers need to know. However, for more details, read on!
The Amended Bill
As noted above, the amended bill contains lots of changes – some small, some big, and some just moving text around. A few of the changes enhance protections for consumers, but most create more flexibility for businesses. Here are some of the changes that jumped out at us:
- The amended bill completely revamps its approach to service providers and third parties. Instead of imposing multiple obligations on these entities directly, the bill moves closer to the GDPR-style approach of characterizing these entities as “processors” whose obligations flow primarily from the contracts with, and/or disclosures of, the first parties from whom they receive data. These changes appear in the service provider/third party provisions (§302) and elsewhere, too. For example, each provision in the bill now specifies whether it applies to service providers and/or third parties (most don’t), and the bill now defines “covered entity” as an entity or person that “alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data…” §2(9)
- The new bill provides more leeway to engage in marketing and advertising. Of note, it adds exceptions for first party marketing and targeted advertising to the data minimization provisions (§101(b)(11) & (12)); deletes “online activities” from the sensitive data category (§2(24)); and allows the collection and processing of sensitive data, without opt in, to provide a product or service requested by an individual and for a range of other permissible purposes. §102(a)(2) (Transfers still require opt in, subject to limited exceptions. §102(a)(3)). Other provisions remain somewhat confusing in this regard. For example, the bill now excludes first party marketing from the opt out of data transfers (§204(b)(2)) but not targeted advertising. §204(c) Further, even as the bill deletes online activities from the sensitive data category, it now requires opt in for, not just the transfer, but also the collection and processing of aggregated internet search or browsing history. §102(a)(4)
- The bill also exempts from coverage government agencies and their service providers (§2(9)(C)); broadens the exceptions for small businesses (§209); expands the provisions allowing loyalty programs (§104(b)(2)); and limits the PRA to actual damages (vs. compensatory damages). §403(a)(2) On the other hand, it expands the restrictions on “dark patterns” (§§203(b) & 204(d)); requires the FTC to develop a Unified Opt Out (i.e., no study needed) (§210); authorizes enforcement by not just state AGs, but also other “State Privacy Authorities” (§402); and settles on a “knowledge” standard (in lieu of “actual knowledge”) for determining who is a minor, with some important caveats. §205
The markup was fairly quick and uneventful. Members on both sides of the aisle noted their support for the bipartisan effort and stressed that the bill is not the final product. Two Republicans offered amendments – Rep. Lesko to address political bias by the platforms, and Rep. Armstrong to address concerns about the enforcement, preemption, and PRA schemes – but both agreed to withdraw them in the interest of getting the bill to the full Committee. The full Committee could mark up the bill – likely, another substitute amendment – after the House’s July 4th recess.
The Challenges Ahead
Despite quick action by the Subcommittee, the bill still faces daunting challenges with little time to resolve them. It’s late June in an election year. Some of the issues raised in response to the “discussion draft” haven’t been addressed – including, as Chairman Pallone noted at the hearing, concerns about preemption and the PRA. In addition, the changes in the amended bill create additional questions that will need to be resolved.
Perhaps the darkest cloud over the bill is the lack of support from Senator Cantwell (and her Democratic colleagues Sens. Wyden, Blumenthal, and Schatz, too.). While Cantwell was critical of the “discussion draft,” she has excoriated the revised bill, telling the Washington Post and other news outlets that it has “enforcement loopholes,” that it’s “too weak” to justify preempting state privacy laws, and that Schumer backs her decision not to even bring up the bill in the Senate. (In comments to a reporter last week, her staff also cited concerns about women’s privacy in light of the then-likely, now official, reversal of Roe v. Wade.) Meanwhile, the frustration among the bill’s sponsors is palpable, with Rep. Schakowsky snapping back at Cantwell in the press, and all of the sponsors urging Cantwell to come the table. Without Cantwell’s support, the bill has little or no chance of becoming law.
FTC Privacy Rulemaking Imminent
Meanwhile, in an updated filing with OMB, the FTC just announced that it will launch its “commercial surveillance” rulemaking this month by issuing an Advance Notice of Proposed Rulemaking with a 60-day comment period. As a reminder for our readers, the rulemaking would follow Mag-Moss rulemaking procedures, and would be designed to “curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” Per Mag-Moss procedures, the ANPR will seek public comment but will not yet propose rule text.
If the FTC keeps to this schedule, that means that we will see the ANPR this week. So, for folks who are already whipsawing between privacy developments in California, Colorado, Europe, and Congress (with big news often announced on Friday nights), add this to your late-night reading list. The FTC announcement also confirms that, even if HR 8152 falters, the FTC plans to run with the ball on privacy, perhaps emboldened by the bipartisan efforts and shared concerns that propelled HR 8152 forward.
We’ll continue to track privacy developments at the federal and state level here.