Here We Go Again: House E&C Releases Opening Offer for Federal Privacy Bill

The Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act or SECURE Data Act, HR 8413, has been introduced by lead sponsor, Rep. John Joyce (R-KY) and 8 co-sponsors, with the backing of both the House Energy and Commerce and Judiciary Committees.  While this is only the first step in attempting to enact this bill, it represents a renewed effort to establish a uniform and comprehensive federal privacy law as a bi-partisan coalition of states (21 thus far) have passed their own state privacy laws. 

This bill also seems more closely aligned to state law models than prior federal proposals which were generally divided on the points of preemption and private right of action. The bill does address preemption and does not provide the private right of action. Below we provide some quick takeaways from our initial read of this bill, not exhaustive of all potential hurdles at this early stage, but we will provide more detailed analyses of specific sub-topics to follow. 

Applicability: Who would be regulated by the Act and who would be protected by the Act?

The Act applies to certain businesses depending on their business activity, data collection, and annual revenue thresholds.  The Act would apply if the person or business:

1. is subject to the jurisdiction of the Federal Trade Commission Act OR a common carrier subject to the Communications Act of 1934; AND
2. either
   1. conducts business in the U.S. or offers for use or sale to a U.S. resident a product or service; OR
   2. processes or engages in the sale of personal data of a U.S. resident; AND
3. either
   1. collects and processes the personal data of more than 200,000 consumers annually and has an annual gross revenue of $25,000,000 or more; OR
   2. collects and processes the personal data of 100,000 or more consumers annually and derives 25% or more of the annual gross revenue from the sale of such personal data.

While the Act will apply to most companies doing business in the U.S., the Act includes some notable entity-level and data-level exemptions, a few of which are broader than the exemptions seen in state privacy laws. At the entity level, the Act would exempt financial institutions subject to Title V of 13 the Gramm-Leach-Bliley Act, HIPAA-covered entities and business associates, and nonprofit organizations (although the Act appears to suggest the non-profit exemption may be narrowed), among others. At the data level, the Act would exempt job applicant and employee data, HIPAA-covered protected health information, and data subject to the Fair Credit Reporting Act. This is a non-exhaustive list of the proposed entity-level and data-level exemptions.

The Act protects “consumers”, meaning individuals acting in their individual or household capacity, and does not include individuals acting in their commercial (business-to-business) or employment context. 

Preemption: What will happen to existing state privacy laws?

The Act includes relatively broad preemptive language, and prohibits states from prescribing, maintaining or enforcing laws, rules or regulations that relate to the provisions of the Act.  In addition to preempting comprehensive state privacy laws and any regulations promulgated thereunder, we expect that proponents will argue the Act should be construed to specifically preempt several different types of state laws including data broker laws, health-related laws like Washington’s My Health My Data Act, and some (but not all) children’s privacy and online safety laws.  The Act would also preempt certain suits being brought by AGs pursuant to their unfair and deceptive trade practice (UDAP) authority. However, the Act does not appear to preempt state data breach notification laws.

Enforcement: Who has enforcement authority? Is there a right to cure?

The Federal Trade Commission (FTC) would be the primary enforcer of the Act, with the authority to enforce the Act against FTC-regulated businesses and common carriers subject to the Communications Act.   

State attorneys general would also have the ability to enforce the Act but, unlike many existing state privacy laws, do not have the ability to seek penalties or statutory damages from business found to have violated the Act.    Similar to other federal frameworks, such as HIPAA, state AGs would be required to notify the FTC first before filing an action alleging violations of the Act in court. 

Yes, the Act provides a 45-day right to cure before the FTC or states attorneys general can initiate a lawsuit against a business. Notably, the cure period will not sunset. 

Sensitive Personal Information (SPI): How does the SECURE Data Act address SPI and how does it compare to current state approaches? 

The Act largely tracks the definition of sensitive data adopted under states’ privacy laws under the “Virginia” model.  SPI would include the following categories if information: (1) personal data that discloses racial or ethnic origin, religious belief, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual; (3) personal data collected from a child or teen; and (4) precise geolocation data. While some states have expanded the categories of sensitive data over time, including by adding precise geolocation data, overall, the Act’s categories of sensitive data are consistent with most states. The Act also does not adopt the California “opt out” approach to sensitive data processing. Instead, the Act provides an opt-in framework consistent with non-California state privacy laws: companies would have to obtain a consumer’s “specific, informed, and unambiguous agreement” before collecting, selling, or using consumers’ sensitive data in any way.

Affirmative Data Requirements: What are some of the obligations that would be placed on controllers? 

The Act includes many common affirmative data requirements on controllers, including requirement to be transparent and disclose their data collection and use practices, to have a controller-processor agreement with certain provisions, data minimization requirements (to only process what is “adequate, relevant and necessary”), to limit secondary use of personal data, to implement reasonable data security practices, to receive and process data subject rights requests, to not discriminate against consumers who exercise their rights, and requirements for compliance with COPPA for processing of data of kids under 13.  The Act also includes a requirement to obtain verifiable consent from parents before processing teens’ (13-16) data. 

Data Rights: What rights would consumers have?

The Act’s data rights closely align with most state comprehensive privacy laws that follow the “Virginia” model.  Data rights are not absolute and are subject to certain exemptions, and include: 

• Right to confirm if processing and access a copy of personal data
• Right to correct
• Right to delete
• Right to data portability
• Right to opt out of targeted advertising (expressly excludes measurement or ad reporting), sale, profiling
• Right to appeal within the controller business (controller needs to establish a process)

Controllers would have 45 days to respond to each request type (with option to extend by additional 45 days in certain instances); all data rights would be subject to authentication.

Other Observations

Other key observations include: 

• The Act includes a specific section on data brokers, processing of pseudonymous data, a framework for processors or controllers to submit a Code of Conduct to the Secretary for approval, and international data flows and requirements for the Secretary of Commerce to help facilitate them within a defined framework.
• The Act largely does not address personal data being processed for automated decision making, except in the context of profiling to make legal or significant decisions through automated means.
• The Act specifically requires companies to disclose the categories of data they share with third parties, including personal data processed in or sold to foreign adversaries.
• The Act does not expressly require controllers to recognize privacy rights submitted by an authorized agent or to recognize and honor universal opt out mechanisms, such as Global Privacy Control.
• The Act proposes a study be conducted on universal opt out mechanisms within 3 years of the Act’s enactment.
• The Act would allow for targeted advertising for anyone 16 or older, and would require consent from parents before processing personal data for targeted advertising to anyone under 16.   

*            *            *

Stay tuned, the Womble Bond Dickinson Privacy & Cybersecurity team, Digital Solutions Sector team, and Federal Government team will be providing more granular breakdowns of this proposed bill, its potential impacts, and the pathways required for it to become law. In the meantime, please reach out to the authors or the Womble Bond Dickinson attorneys with whom you normally work with any questions.