USA: SB 3300 and omnibus federal data protection efforts
Whilst the US has traditionally taken a sectoral approach to privacy legislation, a number of high-profile privacy-related incidents paired with a dramatic surge in state-level privacy and data security legislation have brought privacy sharply into the focus of the public eye, in turn bringing about calls for omnibus federal privacy legislation. Aaron Simpson and Maeve Olney, Partner and Associate respectively at Hunton Andrews Kurth LLP, provide a high-level look of the current regulatory approach to privacy in the US and discuss the prospect of legislative reform at the federal level, analysing in particular Senate Bill 3300 ('SB 3300'), which, if enacted, would establish a federal data protection regulator.
There are numerous sources of privacy and data security law in the US, including laws enacted at the federal, state and local levels and enforced by regulators and through private rights of action. Unlike other global data protection frameworks, US privacy and data security law is not regulated by a single, comprehensive statute or regulation. Instead, the US historically has regulated privacy at the sectoral level. In the wake of Europe's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and in response to certain public scandals (such as Cambridge Analytica), the US has seen an explosion in privacy-related legislative activity at the federal and state levels in the recent past. As of the date of this writing, however, only one state (California) has put in place a comprehensive privacy law, and it remains the case that there is no comprehensive federal privacy legislation.
As explained further below, the current legal landscape creates ongoing complexity for businesses attempting to operationalise privacy compliance across multiple US jurisdictions. Federal legislative efforts that do not seek to establish an omnibus privacy law have the potential to further complicate businesses' compliance efforts.
US privacy and data security regulation: current approach
At the federal level, the U.S. Federal Trade Commission ('FTC') is primarily responsible for enforcing privacy and data security requirements, and its principal enforcement hook is Section 5 of the FTC Act, which prohibits 'unfair or deceptive acts or practices in or affecting commerce.'1 State attorneys general also may use their enforcement authority under state consumer protection laws to address privacy and data security practices. Privacy and data security laws in the US tend to be sectoral in nature, with each law affecting only the industry sector or use of data specifically targeted by the relevant legislation. For example, at the federal level, there are privacy and data security laws that specifically regulate financial data, credit report information, health data and children's data. Similarly, various states have enacted laws regulating different types of personal information, such as financial data, health data, biometric data, and insurance information.
Additionally, privacy is viewed as a consumer protection issue in the US. This is in contrast to the view of privacy taken in other jurisdictions, such as in the EU, where data protection is viewed as a human right. This explains, in part, the US's historically sectoral approach to privacy regulation notwithstanding the wave of global data protection laws that take a broader approach, including the GDPR and similar legislation outside Europe. Since the late 1990s, there have been myriad Congressional efforts to introduce comprehensive federal privacy legislation, but to date, none have succeeded.
In June 2018, California passed the California Consumer Privacy Act of 2018 ('CCPA'), which applies broadly to California residents.2 The CCPA imposes significant obligations on most businesses that handle personal information about California residents, and grants certain general privacy rights to California consumers, such as access and deletion rights with respect to their personal information, the right to opt out of the 'sale' of such data, and the right to obtain fulsome notice regarding the business's collection and use of their information. The enactment of the CCPA followed a period of increased media coverage and public scrutiny regarding the collection and use of personal information by US companies. As the first comprehensive privacy law in the US, the CCPA was a groundbreaking shift in the US privacy landscape and dramatically altered US businesses' approach to collecting, using and disclosing consumer personal information. Following passage of the CCPA, numerous other states introduced comprehensive privacy legislation granting similar rights to their residents. To date, however, none of those copycat bills have been enacted.
On 13 February 2020, Senator Kristen Gillibrand introduced Senate Bill 3300.3 Unlike other efforts, the Bill does not introduce a comprehensive federal privacy law. Rather, it seeks to establish a regulatory authority responsible for overseeing enforcement of existing (sectoral) federal privacy legislation.4>
The Data Protection Agency contemplated by SB 3300 would have regulatory authority over any 'covered entity' that collects, processes, or otherwise obtains personal data, with the exception of an individual processing personal data in the course of personal or household activity.5 Like the CCPA, SB 3300 defines 'personal data' broadly as 'any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or device.' It also includes a non-exclusive list of various elements of personal information, including identifiers, employment data, financial information, medical and health information, commercial information, characteristics of protected classifications, biometric information, internet or other electronic network activity information, geolocation data, audiovisual information, education records, political information, password-protected digital photographs and digital videos not otherwise available to the public, criminal history, online identifiers, and inferences.6
SB 3300 would grant broad privacy-related responsibilities to the Data Protection Agency, including the following:
- providing leadership and coordination of efforts of the various federal agencies to enforce all federal laws, executive orders, regulations and policies related to privacy or data protection;
- maximising effort, promoting efficiency, and eliminating conflict, competition, duplication, and inconsistency among the operations, functions and jurisdiction of federal agencies responsible for privacy or data protection;
- requiring and overseeing privacy impact assessments and ex post outcomes of certain 'high-risk' data practices7 by covered entities;
- examining the social, ethical, economic, and civil rights impacts of high-risk data practices and propose remedies, as well as ensure that privacy practices and processing by covered entities are fair, just, and comply with fair information practices;
- promoting Privacy by Design and data minimisation techniques;
- collecting, researching and responding to consumer complaints;
- implementing a formal public rulemaking process before the Data Protection Agency prior to implementation of any new high-risk data practice or other related profiling technique;
- reviewing and approving 'high-risk' techniques or applications of personal data processing (particularly with respect to the use of sensitive data and children's data);
- developing model privacy and data protection practices, standards, guidelines, policies and routine uses for the private sector;
- issuing rules, orders, and guidance implementing federal privacy laws;
- providing assistance, upon written request, to private sector entities in implementing privacy and data protection practices, principles, guidelines or policies; and
- enforcing other privacy statutes and rules as authorised by Congress.
The Data Protection Agency would have general rulemaking authority to issue regulations under the various existing federal privacy laws, as well as administer, enforce and otherwise implement the provisions of other federal privacy laws. In addition, with respect to 'very large covered entities' (i.e. covered entities that (i) have gross annual revenues in excess of $25 million; (ii) annually buy, receive for commercial purposes, sell, or disclose for commercial purposes, alone or in combination, the personal information of 50,000 or more individuals, households or devices; or (iii) derive 50 percent or more of annual revenues from the sale of personal data), SB 3300 would authorise the Data Protection Agency to require reports and conduct examinations on a periodic basis. For such covered entities, the Data Protection Agency would be empowered to assess the entity's compliance with federal privacy laws, obtain information about the entity's activities that are subject to federal privacy laws and the entity's associated compliance procedures, and require and oversee privacy impact assessments before high-risk data practices occur (as well as after-the-fact 'outcome audits' of such high-risk data practices).8
SB 3300 would grant the Data Protection Agency the authority to enforce violations of the law's requirements, including the authority to seek injunctive relief, restitution, actual damages, and/or civil penalties.9 The Bill sets forth statutory civil penalties depending on the severity of the violation, ranging from $5,000 for each day during which the violation continues up to $1,000,000 per day.10
Consequences for US businesses
A key feature of SB 3300 is that, rather than establish a single regulatory framework for US privacy law, SB 3300 instead would create a regulatory authority with the power to enforce and make rules around the various existing federal privacy laws. As a result, SB 3300 would only contribute to the current patchwork of federal and state privacy and data security laws.
US businesses must expend considerable time, effort and resources to understand and comply with their various obligations under these laws. In addition, although many US privacy laws are thematically similar, each law presents different and nuanced compliance obligations, further complicating efforts by US businesses to comply with overlapping rules at the state level in lieu of a comprehensive federal framework to regulate consumer privacy. Adding to the global cacophony of privacy legislation, the various state efforts to regulate consumer privacy create a sense of discord even within the US with which businesses must grapple in the absence of federal privacy legislation. As a result, to the extent additional state bills like the CCPA are enacted, businesses will need to carefully evaluate the similarities and differences between the different legislative frameworks to develop a compliance approach that takes into account relevant requirements in light of resource constraints and other practical considerations.
Omnibus federal privacy legislation, on the other hand, could close the gap between US states' efforts to regulate consumer privacy. A comprehensive federal privacy law also would reduce complications faced by businesses in developing and operationalising their privacy compliance strategies. Bills such as SB 3300, however, which do not introduce a comprehensive scheme, have the potential to add to the regulatory discord rather than help resolve it. As such, developments with respect to SB 3300 and similar non-omnibus bills, as well as efforts to enact a comprehensive federal privacy law, should be carefully monitored as businesses attempt to shape their privacy compliance programs.
1. 15 U.S.C. § 45 (2012).
2. Cal. Civ. Code § 1798.100 et seq. (2018).
3. S. 3300, 116th Cong. (2020).
4. As of the date of this writing, there has been no action on SB 3300 since it was referred to the Senate Committee on Commerce, Science, and Transportation on 13 February 2020.
5. S. 3300, 116th Cong. § 3(2) (2020).
6. S. 3300, 116th Cong. § 3(5) (2020).
7. The Bill defines 'high-risk data practice' as an action by a covered entity that involves (1) a systematic or extensive evaluation of personal data that is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or household or similarly significantly affect the individual or household; (2) sensitive data uses; (3) a systemic monitoring of publicly accessible data on a large scale; (4) processing involving the use of new technologies, or combinations of technologies, that creates adverse consequences or potential adverse consequences to an individual or society; (5) decisions about an individual's access to a product, service, opportunity or benefit which is based to any extent on automated processing; (6) any profiling of individuals on a large scale; (7) any processing of biometric data for the purpose of uniquely identifying an individual; (8) any processing of genetic data, other than data processed by a health care professional for the purpose of providing health care to the individual; (9) combining, comparing, or matching personal data obtained from multiple sources; (10) processing the personal data of an individual that has not been obtained directly from the individual; (11) processing which involves tracking an individual's geolocation; and (12) the use of personal data of children or other vulnerable individuals for marketing purposes, profiling or automated processing. S. 3300, 116th Cong. § 3(4) (2020).
8. S. 3300, 116th Cong. § 8 (2020).
9. S. 3300, 116th Cong. § 9 (2020).
10. S. 3300, 116th Cong. § 9(f) (2020).