On June 3, 2022, members of the U.S. Congress released a bipartisan, bicameral discussion draft of a comprehensive national data privacy and data security framework. The draft is notable in that it reflects a compromise on the two issues that have for years vexed lawmakers angling for federal privacy legislation: preemption and private right of action. The House Energy and Commerce Committee has announced a hearing for June 14 to discuss the draft.
The discussion draft has become widely known as the “three corners” bill, because it has the support of three of the four “corners” of the relevant committees: the Chair and Ranking Member of the House Energy and Commerce Committee and the Ranking Member of the Senate Commerce Committee. Notably, the fourth “corner,” Senate Commerce Committee Chair Maria Cantwell, is circulating her own draft.[1] While there are similarities between the two drafts, the differences reflect the likely sticking points among the negotiators.
Overlap and Similarities
Both drafts would apply to all entities within the Federal Trade Commission’s (FTC) jurisdiction, along with common carriers and nonprofit entities. They would both require these entities to do the following:
- limit the amount of consumer data that can be collected, processed, or transferred (i.e., data minimization);
- generally refrain from offering consumers financial incentives to waive privacy rights;
- maintain privacy policies and provide consumers rights to data access, correction, deletion, and portability;
- implement reasonable data security;
- obtain consumers’ opt-in consent for the collection, processing, and transfer of sensitive data (e.g., health, geolocation, race, sexual orientation);
- give consumers the opportunity to opt out of targeted advertising[2] and transfer of data to third parties,[3] with the FTC to study the feasibility of a global opt out and issue a rule if it deems such an opt out to be feasible;
- refrain from algorithmic discrimination; and
- implement data governance requirements, such as a requirement to have one or more privacy officers and data security officers.
In terms of the enforcement scheme, both bills would do the following:
- provide for enforcement by the FTC and state Attorneys General;
- allow the FTC to seek civil penalties for first-time violations, with penalties being eligible to go to a Victim Relief Fund within the U.S. Department of the Treasury that the FTC can use to redress victims;
- generally preempt state laws;[4] and
- create a limited private right of action (though see our discussion of sticking points below).
The three corners draft includes some provisions not present in the Cantwell draft, but that Senator Cantwell would likely support, including: 1) the creation of a data broker registry and an option for consumers to have data brokers refrain from collecting their data; 2) additional protections for children and teens; 3) an expansive definition of “affirmative express consent,” which includes a prohibition on seeking consent through dark patterns; and 4) a requirement that companies disclose whether they are transferring personal data to Russia, China, Iran, or North Korea. These provisions were likely added by Democratic sponsors, and Senator Cantwell would probably agree with their inclusion; they presumably were added to the three corners bill later in the drafting process and therefore did not make it into Senator Cantwell’s draft.
Differences and Sticking Points
There are some areas where the two bills diverge, signaling likely sticking points in the negotiations:
- Private right of action: In both bills, the private right of action would cover only certain provisions. For example, there would be no private right of action for the data minimization provisions or some of the data governance provisions. In the Cantwell bill, private rights of action could commence as of the effective date of the legislation; notice and a right to cure would be required for injunctive, but not monetary, relief; and pre-dispute binding arbitration clauses would be prohibited for practices causing substantial privacy harm. In the three corners bill, private rights of action would not be allowed until four years after the effective date of the legislation; small businesses would have an additional right to cure; and most pre-dispute binding arbitration clauses would be allowed. In addition, the bill would require prospective class action plaintiffs to notify the FTC and relevant state Attorney General prior to filing suit, and the plaintiffs could not proceed if these entities take action.
- Duty of loyalty: Both bills include a “duty of loyalty” section. The three corners bill limits the duty of loyalty to 1) a requirement to minimize the amount of data collected, 2) specific prohibitions on certain conduct (e.g., prohibition on transfer of SSNs, non-consensual intimate images), and 3) a prohibition on providing financial incentives to give up rights under the bill. In addition to including similar provisions, the Cantwell version would also prohibit deceptive and harmful data practices. Cantwell’s bill defines harmful data practices to include practices that cause or are likely to cause financial, physical, or reputational injury, or offensive intrusion upon solitude or seclusion of an individual, where such intrusion would be offensive to a reasonable person. An outright prohibition on harmful data practices would likely have broad implications. Under current law, a practice is only actionable if the harmful data practices are not outweighed by countervailing benefits to consumers or competition.
- Safe harbors: The three corners bill includes a safe harbor provision that would permit companies to work with approved third parties to have their privacy practices deemed as compliant. The Cantwell draft does not include a safe harbor.
- Whistleblower protections: While the Cantwell draft specifically provides some legal protections for whistleblowers, the three corners draft does not.
- Independent litigating authority for the FTC: Cantwell’s bill would allow the FTC to seek civil penalties in its own name, rather than having to partner with the U.S. Department of Justice.
- Exceptions for small businesses and heightened requirements for large data holders: Both bills contain exceptions for small businesses. For example, small businesses do not have to comply with requirements to implement data portability, or implement particular security measures (e.g., vulnerability assessment). But the bills define “small businesses” differently. The three corners bill would exempt businesses that, for the preceding three years, have less than $41 million in revenue, collect or process less than 100,000 individuals’ data, and do not derive more than 50 percent of their revenue from transferring consumer data. The Cantwell bill has similar data thresholds for the exemption, but would only exempt businesses that, for the preceding three years, have less than $25 million in revenue. Both bills also contain heightened requirements for “large data holders.” For example, large data holders must conduct algorithmic impact assessments, have privacy and security officers that report to the CEO, and have their CEOs conduct annual certification of compliance with the bill’s requirements. The three corners bill defines large data holders as entities that have annual gross revenues of more than $250 million that collect, process, or transfer personal data of five million consumers (or sensitive data of 100,000 consumers). The Cantwell bill does not include the revenue threshold, but defines as large data holders entities that process or transfer the covered data of more than five million individuals or devices, or process or transfer the sensitive covered data of more than 100,000 individuals or devices.
Takeaways
So, what is the bottom line? Will there be federal legislation this year? Here are some takeaways:
- Both drafts borrow heavily from concepts already set forth in state privacy laws and GDPR. Companies already following these requirements will have a significant head start if this legislation comes to pass.
- Despite the sticking points, negotiators have made tremendous progress. Republicans appear to have given on certain items (notably, a private right of action), and Democrats appear to have given on certain items (notably, preemption). The consensus on the substantive provisions is remarkable, and seems to reflect a genuine interest in trying to achieve something. It is a shining example of how a functional Congress can work.
- At the same time, given the significance of the sticking points and the ticking clock in Congress, federal privacy legislation may not be enacted this year. Nonetheless, states, other committees, and industry groups often take language from existing drafts, so the concepts contained in these drafts may come up in other contexts.
For additional assistance with regulatory compliance regarding privacy, security, and consumer protection laws, please contact Wilson Sonsini attorneys Laura Ahmed, Dan Chase, Maneesha Mithal, or Libby Weingarten.
[1] While Chair Cantwell has not officially released her legislation, we reviewed a widely circulated draft.
[2] Only “large data holders” would have to do this under the Cantwell bill. See discussion of large data brokers below.
[3] Service providers are not considered third parties under either draft bill.
[4] The Cantwell bill preserves “laws related to biometric or genetic information,” whereas the three corners bill specifically preserves Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act, but it would presumably preempt other laws in the biometrics or genetics space. The Cantwell bill also would preserve state criminal or civil laws “regarding malicious conduct involving use or misuse of personal information.”