The Privacy Bill of Rights Act: GDPR for the U.S.?

Last year, the EU enacted the GDPR, an expansive data privacy regulation, which dramatically impacted businesses worldwide. Recently, on April 12, 2019, Senator Edward Markey (D-MA) introduced the latest in a string of federal privacy laws, entitled the “Privacy Bill of Rights” Act. Though the odds for the bill’s passage are anyone’s guess at this point, Sen. Markey is a member of the Senate Commerce, Science, and Transportation Committee, which would be the appropriate committee for a federal privacy bill. Many now wonder whether the proposed Privacy Bill of Rights Act would bring rigorous regulations like those in the GDPR into force in the United States.

The Act shares features with GDPR, notably:

1. The Act provides individual rights of notice, control, access, correction, deletion, and portability. Uniquely, U.S. entities that transact in other languages must also provide the rights of deletion and correction in those languages.

2. The Act defaults to an “opt-in” model of individual consent, a feature that would decimate email lists across the U.S.

3. The Act’s definition of “opt-in approval” is close to, although less specific than, the GDPR’s definition of consent.

4. The Act’s definition of “Personal Information” mirrors GDPR’s drafting on a high level, but the Act explicitly includes more kinds of information, including biometrics, in a manner similar to the California Consumer Privacy Act.

5. The Act covers all entities that collect personal information, not just those that collect online or have reached a certain size or number of consumers.

However, there are also significant differences between the Act and GDPR:

1. The Act provides individuals the right to opt out, ‘where possible’, of the collection and use of de-identified information (a term that encompasses metadata and anonymized data). This closes a big loophole under the GDPR that enables companies to utilize metadata for commercial purposes. The Act does not hint at what ‘where possible’ might mean.

2. The Act requires the FTC to compile a list of all data brokers in the U.S. Therefore, the FTC may be planning to require brokers to register and then promulgate regulations specifically directed at them; monetizing Big Data might get harder under the Act.

3. The Act takes care not to preempt a host of established federal laws, such as COPPA, GLBA, and HIPAA.

4. The private right of action for individuals first introduced in the CCPA survives in the Act, a feature not present in the GDPR.

5. In addition to providing a “short-form” (e.g. plain English) privacy notice, covered entities must disclose the date of collection of personal information, a substantial technical hurdle for businesses.

6. A covered entity cannot offer financial incentives to individuals, including discounts, for the individual’s opt-in consent.

The Act arguably preempts some state privacy laws by implication, but does give state attorneys general the ability to enforce the law. Some might read this provision as the federal government overriding state laws while also asking for help with enforcement.

On the whole, the Act is both broader and more specific than the GDPR. It covers more data than the GDPR and specifically targets businesses selling data (whether anonymous or not). Its drafters’ comprehensive intent is clear; less clear is how the proposed Act will evolve under what are sure to be intensive lobbying efforts by the likes of Facebook.

Look for a deeper dive into the Act’s implications for tech giants and small businesses alike in future posts.

***

At SK&S, we provide a full range of business counseling, transactional, regulatory, and investigative services across industry sectors. We help clients across the country build risk-based compliance systems and mitigate cyber risk. Our team includes attorneys with deep in-house experience building those systems, in addition to corporate, commercial, and M&A work at top law firms.