Introduction

The Discussion Draft Bill, as it currently stands, is divided into four main Titles. The first focuses on the duty of loyalty, and contains provisions with regard to associated principles such as data minimisation, Privacy by Design, and certain other loyalty duties around restricted practices.

The second Title addresses consumer data rights, focusing on, among others, transparency, ownership and control, the right to consent and object, data protections for children and minors, third-party collecting entities, civil rights and algorithms, as well as data security and protection of covered data.

The third Title focuses on corporate accountability, addressing executive responsibility and compliance requirements, designating security and privacy officers, and conducting impact assessments. The third Title also addresses, among other things, service providers and third parties and their associated obligations.

The fourth and final Title of the Discussion Draft Bill covers enforcement, applicability, and any other miscellaneous provisions. More specifically, and regarding enforcement of its provisions, it addresses enforcement and how and when this would be handled by the Federal Trade Commission ('FTC'), State Attorneys General ('AGs'), and outlines a private right of action for individuals.

In terms of its scope of applicability, the Discussion Draft Bill refers to 'covered entities' throughout, which it defines broadly to include:

• entities or persons that collect, process, or transfer covered data and:
  • are subject to the FTC;
  • are a common carrier subject to Title II of the Communications Act of 1934; or
  • are an organisation not organised to carry on business for their own profit or that of their members; and
• entities or persons that control, are controlled by, are under common control with, or share common branding with another covered entity.

Key duties and principles

Data minimisation

The Discussion Draft Bill expressly prohibits covered entities from collecting, processing, or transferring covered data beyond what is reasonably necessary, proportionate, and limited to in order to provide or maintain a requested specific product or service, a communication that is reasonably anticipated, or another purpose that may be expressly permitted by the Discussion Draft Bill. However, in order to further specify this requirement and establish what is to be deemed 'reasonably necessary, proportionate, and limited', the FTC would be tasked with issuing guidance while considering:

• size, nature, scope, and complexity of the activities engaged in by the covered entity, while also considering whether the covered entity is a large data holder or third-party collecting entity;
• sensitivity of collected, processed, or transferred covered data;
• volume of covered data collected, processed, or transferred; and
• number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity relates.

Data collection, processing, and transfer restrictions and limitations

In line with these requirements, the Discussion Draft Bill also outlines prohibited actions and practices. More specifically, covered entities cannot collect, process, or transfer social security numbers, biometric information, nonconsensual intimate images, or genetic information, except for certain listed purposes. Additionally, covered entities are prohibited from transferring individuals' precise geolocation information to a third party, transferring aggregated internet search or browsing history, and transferring physical activity information from a smart phone or wearable device except with affirmative express consent and a standalone conspicuous notice explaining certain information to the individual.

Privacy by Design

Another key element provided for by the Discussion Draft Bill is considering Privacy by Design at the outset. This involves covered entities needing to establish and implement policies, practices, and procedures which are reasonable regarding the collection, processing, and transfer of covered data. They must also consider applicable federal, state, or local laws, rules, or regulations in advance, any relevant mitigation strategies for risks (particularly those under the age of 17), and should implement reasonable training and safeguards in order to promote compliance with all applicable privacy laws.

In doing so, additional factors that the Discussion Draft Bill outlines to be considered regarding Privacy by Design include ensuring that the covered entities policies, practices, and procedures correspond with:

• its size and the nature, scope, and complexity of the activities it is engaged in;
• the sensitivity of the covered data;
• the volume of covered data collected, processed, or transferred;
• the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity relates; and
• the cost of implementing the program in relation to the risks and nature of the covered data.

Protection of minors

The Discussion Draft Bill expressly prohibits any targeted advertising to children and minors if the covered entity has actual knowledge that the individual is under the age of 17. In fact, it would also require the establishment of the Youth Privacy and Marketing Division within the FTC, tasked with addressing the privacy and marketing to children and minors.

Data security

Similarly to other key privacy laws, covered entities would be required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures, necessary to protect and secure covered data against any unauthorised access and acquisition. While these data security practices and measures can take into account certain circumstances specific to the covered entity, the Discussion Draft Bill outlines set specific requirements which must be included at a minimum.

Specifically, covered entities should incorporate the following minimum practices:

• assess vulnerabilities;
• take preventative and corrective action;
• evaluate these preventative and corrective actions;
• ensure information retention and disposal practices are in place;
• train employees;
• incident response; and
• designate an officer or employee(s) to maintain and implement such practices.

Privacy policies

Although outlined in the Discussion Draft Bill's provisions with respect to consumer rights and the right to be informed, the Discussion Draft Bill outlines detailed requirements regarding the privacy policies that covered entities must provide to individuals.

In providing their privacy policies, covered entities must do so in a way that is publicly available, and in a clear, conspicuous, and readily accessible manner, while ensuring that the privacy policy is detailed and accurate about the data collection, processing, and transfer practices. The privacy policies must also be made available in each language in which the covered entity provides a product or service subject to the privacy policy or carries out activities related to the product or service.

More specifically, and as is the anticipated case, the privacy policies are required to detail a minimum amount of information, that being:

• the identity and contact information of the covered entity and any other entity within the same corporate structure to which covered data has been or may be transferred;
• the categories of covered data collected or processed;
• the processing purposes for each category of covered data;
• whether covered data is transferred and, if so:
  • each category of service provider and third party to which covered data is transferred; and
  • the name of each third-party collecting entity to which covered data is transferred; and the purposes for which covered data is transferred to such categories of service providers and third parties or third-party collecting entities, except for transfers to governmental entities pursuant to a court order or law that prohibits the covered entity from disclosing such transfer;
• the length of time the covered entity intends to retain each category of covered data, including sensitive covered data, or, if it is not possible to identify that time frame, the criteria used to determine the length of time the covered entity intends to retain categories of covered data;
• how individuals can exercise their rights;
• a general description of the data security practices;
• the effective date of the privacy policy; and
• whether or not any covered data collected is transferred to, processed in, or otherwise made available to the People's Republic of China, Russia, Iran, or North Korea.

Notably, the Discussion Draft Bill provides additional obligations for a short-form notice to be provided by large data holders.

Consumer data rights

Access, correction, deletion, and portability

The Discussion Draft Bill provides individuals with the right to access, correct, and delete their covered data, as well as the right to data portability of this data. Once a request has been verified from a data subject, large data holders must comply with a request within 30 days of verification, other covered entities not considered large data holders or certain other covered entities within 60 days of verification, and covered entities as described in Section 209(c) of the Discussion Draft Bill within 90 days of verification. Rights are to be exercised free of charge for the first two requests within a 12-month period, with each subsequent request being subject to a reasonable fee.

Similarly to other key global privacy laws, the Discussion Draft Bill also outlines exceptions to the exercise of data subject rights.

Consent and objection

The Discussion Draft Bill requires that affirmative express consent be obtained for the collection or processing of sensitive personal data, defined as an 'affirmative act by an individual that clearly communicates the individual's freely given, specific, informed, and unambiguous authorization for an act or practice, in response to a specific request from a covered entity that meets [certain] requirements'.

In addressing consent, the Discussion Draft Bill also requires covered entities to provide a clear and conspicuous, easy-to-execute means to withdraw any affirmative express consent which has been previously provided by the individual, where this method must be as easy to execute 'by a reasonable individual' as the means to provide consent.

Individuals would also be afforded the right to opt out of targeted advertising, and to data transfers to a third party.

Corporate accountability

Privacy and data security officers

The Discussion Draft Bill requires covered entities to designate one or more qualified employees as privacy officers, and in addition to this, one or more qualified employees as data security officers. These officers are also required to, at a minimum, implement a data privacy program and data security program to safeguard the privacy and security of covered data, and to facilitate the covered entity's ongoing compliance with its obligations.

Notably, the Discussion Draft Bill would provide for an additional requirement for large data holders, requiring that they designate at least one of the abovementioned officers to report directly to the highest official as a privacy protection officer with additional responsibilities.

Impact assessments

The Discussion Draft Bill would require large data holders to conduct privacy impact assessments which are reasonable and appropriate in scope given certain criteria around the practices of the covered entity, documented in written form and maintained unless rendered out of date by a subsequent assessment, and which are approved by the privacy officer.

This applies to all large data holders one year after the enactment of the Act, and for those covered entities that are not large data holders, one year after the date on which they meet the definition of a 'large data holder' or the date of enactment, whichever is sooner. Following this initial timeframe, subsequent impact assessments must be done biennially.

Third parties and service providers

The Discussion Draft Bill details separate obligations for both third parties and service providers, while outlining additional obligations on covered entities generally. More specifically, third parties have obligations such as not processing third party data for inconsistent purposes to the individual's reasonably expectations. Meanwhile, service providers cannot collect or process service provider data for any processing purpose not performed on behalf of, and at the direction of, the covered entity. They also cannot transfer service provider data to a third party, other covered entity, or another service provider without the affirmative express consent from the individual which is to be obtained directly by the covered entity, and have additional obligations around deleting or de-identifying certain data.

Enforcement

One notable aspect about enforcement under the Discussion Draft Bill is the provision of powers to the FTC, State AGs, and individuals themselves. As it concerns the FTC, the Discussion Draft Bill would call for an additional bureau to be created, with the FTC having enforcement powers over violations deemed to be unfair and deceptive acts or practices.

Meanwhile, AGs, or the chief consumer protection officer of the State, would have the authority to bring civil actions in order to enjoin that act or practice; enforce compliance; obtain damages, civil penalties, restitution, or other compensation; or obtain reasonable attorneys' fees and other litigation costs. However, and before initiating any civil action, AGs would be required to notify the FTC.

Interestingly, the Discussion Draft Bill addresses a private right of action for individuals, a topic which is often debated when it comes to data privacy legislation in the US. However, a private right of action becomes available only four years after the date on which the Act would take effect, if passed. However, and similarly to action from AGs, before taking an action for a private right of action, the FTC and AGs must be notified, giving them a timeframe of 60 days to respond as to whether they too will take separate or additional action.

Conclusion

While the above only covers a small portion of the provisions provided for in the Discussion Draft Bill, many more provisions set various obligations for covered entities. If the Discussion Draft Bill is introduced and passed in each federal chamber of the U.S. Congress, it will be due to take effect 180 days after its enactment.

Iana Gaytandjieva Lead Privacy Analyst [email protected]