All kidding aside, this is a real problem for the United States’ federal data privacy legal framework, which is guided in part upon the Federal Trade Commission’s Fair Information Practice Principles. Notably, those include (i) consumer notice and awareness (“Consumers should be given notice of an entity’s information practices before any personal information is collected from them”), and (ii) consumer choice and consent (“In order to be effective, any choice regime should provide a simple and easily-accessible way for consumers to exercise their choice”). If the vast majority of websites utilize privacy policies which consumers are willfully ignoring or otherwise failing to recognize the existence of, much less comprehending their contents, how can one reasonably claim consumers are “on notice and aware” of privacy policies and exercising real “choice and consent” to the management of their personal data?
Some notable items from the DATA 2020 draft bill include:
- Requirement to show “permissible purpose”: in all cases, data processors will be required to show a “permissible purpose” to process a consumer’s personal data, and such “permissible purpose” is broken down into 12 categorical use cases.
- Broadly-defined “unlawful data practices”: while a number of federal statutes narrowly define particular data practices which are illegal (e.g., wrongful disclosure of PHI under HIPAA), DATA 2020 favors wholesale prohibitions on certain data usage practices, including (i) use of facial recognition technology, (ii) commingling of personal data from multiple platforms or business lines, and (iii) re-identification of anonymized data (subject to certain exceptions).
- Establishment of “Data Accountability and Transparency Agency”: a new Executive branch independent agency, empowered with rulemaking authority, would be formed to enforce the requirements proscribed in DATA 2020.
To be clear, the chances of DATA 2020 passing in this Congress are slim-to-none. However, its language appears to be instructive in possibly signaling policy priorities for a key segment of the Democratic Party, and should be read as another step forward in the 10+ year march towards all-encompassing federal data privacy and security legislation. If the Senate majority changes hands in November, we could see traction on this bill (or a similar bill adopting some/all of its key tenants) rather quickly.
Noting the above, what should your company do in the immediate future to ensure you’re prepared for what is coming? We recommend the following:
- Analyze the necessity of each item of personal data you currently collect. Are there certain items of personal data that you are collecting from your customers “just because?” While U.S. law currently does not require you to identify a “permissible purpose” for every item of personal data collected, that may well be the case in the not-so-distant future. It’s worth narrowing the population of personal data you collect from your customers so that you can defend those practices under any legal framework to come.
- Stay informed of future legislation. While we cannot predict the future of federal data privacy and security legislation, we can (and will) provide timely analysis of any future legislative and rulemaking updates that may affect your company. We invite you to bookmark Taft’s Privacy & Data Security Insights page and refer to it often.