Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: Overview of the House leaders' strategy for draft privacy national standard

U.S. House Energy and Commerce Committee Republican Leader, Cathy McMorris Rodgers, and Republican Leader for the Consumer Protection and Commerce Subcommittee, Gus Bilirakis, announced, on 3 November 2021, the release of a comprehensive federal legislative draft bill to establish a national privacy standard. The draft bill would, if introduced, provide a bill for the Control Our Data Act. It aims to strengthen federal privacy protections, and will be guided by four core principles which aim to promote innovation, increase transparency and accountability, and set clear rules for protecting consumers' data privacy.

vitacopS / Essentials collection / istockphoto.com

Scope and governing principles

The draft bill applies to covered entities, which it defines as any organisation, corporation, trust, partnership, estate, cooperative association, sole proprietorship, unincorporated association, or other entity, including such covered entity's affiliates, over which the Federal Trade Commission ('FTC') has authority. These covered entities shall abide by the draft when processing personal information, which is defined as any information that is linked or reasonably linkable to a specific individual. However, it does not include:

  • information that is collected, used, or shared solely for the purpose of employment of an individual, including any information regarding an individual that pertains to such individual in their capacity as an owner, director, or employee of a partnership, corporation, trust, estate, cooperative, association, or other type of entity; 
  • aggregate information;
  • deidentified information; 
  • information that is rendered unusable, unreadable, or indecipherable such as because the information is redacted, tokenised, or encrypted; 
  • information legally obtained from a publicly available source, including information obtained from a news report, periodical, or other widely distributed media, or from Federal, State, or local government records; or
  • pseudonymised information.

In this respect, Paul Lanois, Director of Technology, Outsourcing, and Privacy at Fieldfisher LLP, provided some interesting insight and explained that, "There is a lot to unpack from the draft bill, but, in a nutshell, the draft bill would generally provide for a greater level of transparency nationally. If passed, the draft bill would require covered entities to:

  • provide privacy disclosures in their privacy policies;
  • 'post conspicuously', or otherwise make available, a summary of the covered entity's privacy policy;
  • provide information 'at or before the point of collection' of personal information; and 
  • honour requests for the exercise of privacy rights […]."

The list of principles governing this draft bill goes on, as Lanois explained that "other key provisions include retention limitation (i.e. data can only be retained as long as necessary for the purpose), the establishment of 'privacy by design', the need to perform 'risk assessments' (which are similar to data protection impact assessments), and requirements relating to information security." Lanois goes on to provide that, "[i]nterestingly, the draft bill distinguishes 'small to mid-size entities' from 'large entities' and in certain cases imposes additional requirements to 'large entities'. Finally, the draft bill would introduce new requirements for data brokers – namely a requirement to provide a website notice, a required audit log of accessed and transmitted information, and a registry of data brokers to be maintained by the FTC."

Similarities and divergences with the GDPR

At a first reading, this draft bill may remind those with some familiarity with the European privacy legislative framework of certain provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In fact, some concepts that have now become part of the standard lexicon of the privacy world, such as privacy by design or the right of access, cannot but make one think of the Articles and Recitals of the GDPR. 

Analysing this European inspiration within the draft bill further, Lanois considered that indeed, "[t]here are a number of elements of the Control Our Data Act which are similar with those of the GDPR – for example, the focus on transparency, the disclosure requirements, the privacy rights, or the 'risk assessment' requirement. Even the 30-day timeframe to respond to a request for the exercise of privacy rights are reminiscent to the GDPR."

Having said this, the two pieces of legislation differ on various other aspects and present diverging points that need to be underlined. As Lanois stated, "once we start to dig a little deeper, it appears that while the GDPR may have been a source of inspiration for the Control Our Data Act, it is not a direct transposition of the GDPR. For example, the right of access under the Control Our Data Act is limited to the provision of categories of information, not the provision of the actual content of the information held. Additionally, the definition of 'personal information' under the Control Our Data Act is narrower than the GDPR, including only information that is linked or linkable to a 'specific individual' with several exclusions, including information that is tokenised, encrypted, or pseudonymised. Finally, the Control Our Data Act requires a summary of the privacy policy to be made available, whereas the GDPR does not have such a requirement. The draft bill also imposes additional requirements on 'large entities' whereas the GDPR imposes the same requirements on all organisations, regardless of their size."

Consumer rights under the draft bill

The draft bill also establishes a series of rights for the consumer. Lanois outlined that such rights include "the right of confirmation (that the organisation has personal information of such individual), the right of access (but only in relation categories, not specific information), the right of correction, the right of deletion, and the right to object to the use of 'sensitive information'. In relation to 'sensitive information', while the definition includes similar items as the GDPR's 'special categories of personal data' (e.g. health or biometric data), the draft bill adds to the category information such as the contents and parties to communications, financial information, drivers' license number, etc."

The current US privacy law system and the draft bill

The US does not have a singular law that covers the privacy of all types of data. Instead, it has a mixture of laws that cover different types of personal data. This mixture extends to having laws which address the privacy and protection of personal data on both an overarching federal level with key laws for set purposes, and on a State level with patchwork laws. Some of these State laws have become a benchmark for the nation, pushing legislative progress following the adoption of privacy laws in California, Virginia, and Colorado, but an overarching national privacy law is still lacking.

Things could change if this draft bill would be introduced and become law. As Lanois explained in fact, "Section 112 of the draft bill – helpfully titled 'One National Standard' – is quite clear that the intention of the drafters is to pre-empt State law. Section 112(a)(1) in particular would prevent any State law relating to 'the collection, use, or sharing of personal information by or on behalf of a covered entity'. It is clear that one of the key goals of the draft bill is to streamline privacy requirements across the nation and prevent the emergence of a requirement emerging from an individual State to become a national state. In other words, State laws would not be able to exceed or provide additional protections than the 'one national standard'."

How would companies be affected by the provisions of the draft bill?

Nonetheless, the path for the draft bill to become a law is still long and uncertain, as Lanois reminded, "assuming the draft bill is passed, which is not necessarily the safest bet to make, as demonstrated by the legislative history of other federal privacy bills which have all failed to pass the finishing line, organisations across the nation will be required to revamp their data privacy policies and practices." In this respect, Lanois highlighted that "[i]n most cases, organisations who have already worked on a GDPR (or California Consumer Protection Act of 2018 ('CCPA')) compliance program would be able to leverage the work they have performed and there would not be too much work needed to comply with the bill. However, organisations who have not worked on GDPR or CCPA compliance because they were out of scope are likely to find that a lot of work needs to be done in order to meet the requirements of the Control Our Data Act."

Conclusion

While the initiative is praiseworthy, and the time is ripe for the US to equip itself with a federal privacy law, there are still quite some perplexities on the outcome of this draft bill and on the legal certainty of some of its provisions. In particular, Lanois noted the need to consider some additional aspects, including around the draft bill's provisions on privacy policies. In this respect, Lanois highlighted that "in relation to the requirement to make available a summary of the privacy policy, it is unclear whether the intention is to have a separate document or whether the summary can be rolled into the main privacy policy. Absent a specific requirement to have a separate document for the summary, many organisations may choose to simply adopt a layered privacy policy, i.e. a single privacy policy whereby readers would be provided with general and high level information, and in relation to each item, readers can opt to click on a 'Read more' button to access additional information."

It is clear that there is still some way to go, and as the draft bill is yet to be approved and formally introduced as a bill in the U.S. Congress, we will have to see what this holds for the US and its ongoing attempts at adopting federal privacy legislation.

Marcello Ferraresi Privacy Analyst
[email protected]

Comments provided by:

Paul Lanois Director of Technology, Outsourcing, and Privacy
[email protected]
Fieldfisher LLP, Palo Alto