Preparing for Federal Privacy Law Regulations Coming Down the Pipeline
We’ve all discussed the five state laws, but there is, for business, a great desire for a federal law, just because it’s way too complicated to manage so many different states, never mind the extra-territorial stuff. There is a desire for things to be easier and more favorable to business. It is a push-pull and it’s a very difficult line to walk.
—Susan Raab, Customer Data Platform Institute
Indeed. There has been much discussion concerning state privacy law, their similarities, differences, and strategies for managing what’s coming in 2023 and beyond. Here we turn our attention to the emerging federal privacy law which is gaining unprecedented momentum. To discuss Preparing for Federal Regulations Coming Down the Pipeline, a panel of experts joined moderator Cobun Zweifel-Keegan, D.C. Managing Director, IAPP at the Spokes Technology Conference (held June 22-23).
Zweifel-Keegan was joined by BDO Privacy and Data Protection Director Jeremy Berkowitz; Susan Raab, Managing Partner, Customer Data Platform Institute; and Jessica L. Rich, Kelley Drye, Of Counsel who was previously with the FTC for 26 years.
Federal privacy law backdrop
“Privacy has been on this country’s radar in a big way since the late 90s. We don’t have a comprehensive federal privacy law. Instead, we have sector-specific laws that apply to a particular market sectors, entities, or data like COPPA, Gramm-Leach-Bliley, FCRA, and FERPA” notes Rich.
“The law with the broadest coverage is the Federal Trade Communications Act which broadly prohibits unfair deceptive practices, including privacy and data security which apply to a very broad array of entities.”
What many don’t realize is that the Federal Trade Commission (FTC) also has jurisdiction in areas where other agencies play a role notes Rich. “For example, HIPAA is enforced by HHS and covers Health entities, but the FTC has jurisdiction over many of those same entities. The same is true regarding COPPA and FERPA covered entities.”
But, the FTC Act, which is the main privacy law in this country, doesn’t set forth privacy standards. It only allows the agency to act after the fact and determine whether something’s unfair and deceptive. There are gaps in jurisdiction, gaps in remedies, and the FTC has very limited rulemaking capacity.
—Jessica L. Rich, Kelley Drye
“The result is 20-years of ongoing Congressional debate about whether to pass a federal privacy law.”
Rich notes that the FTC is considering rulemaking using its “very cumbersome authority,” viewing privacy through both a competition and a consumer protection lens with a lot of focus on leveling the playing field between big and small companies. And using more substantive (and prescriptive) provisions like limiting the use of data (rather than the notice and choice approach).
What are we likely to see in terms of enforcement for federal privacy laws?
“I want to bring in the context of what we’re now calling the ADPPA: the American Data Privacy and Protection Act” (H.R. 8152). “That’s where all the attention has been in Congress over the last couple of weeks, says Berkowitz, “and it is remarkable to see a bill right now, where there seems to be a large consensus between both parties on what should be in this bill.”
That said, the history of attempts by the States, as noted here, demonstrates both cross-party cooperation and “intra-party strife. Both blue states and red states were not able to reach accord on this issue despite a strong desire from all concerned to pass legislation.”
And indeed, as Berkowitz goes on to note, “there seems to be a lot of consensus, particularly on some issues around preemption and the private right of action. However, in the Senate, committee chairperson, Senator Maria Cantwell (State of Washington) is not yet on board with this bill. She hasn’t come out against it, but of all the players in both houses on the relevant committees, she’s the only one who has not signed off on this yet.”
New authority and consensus for the FTC
…getting money, money, money whatever way they can. By partnering with the states or alleging rule violations in creative ways, because you can get money when you allege rule violations, not just Section 5.
—Jessica Rich, Kelley Drye
Notably, the ADPPA provides a lot of new authority to the FTC including 1) a new bureau and staff to the FTC to be able to enforce the act, 2) the ability to be able to promulgate rules, particularly around data minimization and consumer requests requirements, and 3) a requirement for companies to certify once a year that they have a CPO and DPO.
“This bill – at least its current form – is going to provide a lot of that much needed authority,” opines Rich, and notes that FTC Chair Kahn has a more power now “to push through her agenda. Now that she has a majority, you’re probably going to see some more aggressive action over the coming months, regardless of whether this law gets passed or not.”
Rich further notes that FTC enforcement is both expanding and taking broad interpretations of existing laws. For example, “they basically took a very narrow rule – the health breach notification rule – and said it applied to every health APP.
One of the things that I would emphasize, though, is so far, this has all been through settlements. There are a lot of very good arguments that companies could make as to why some of this stuff goes beyond the FTC’s authority.
But most companies, given the cost of litigation, are going to settle.
—Jessica Rich, Kelley Drye
“But I think it’ll get a lot more interesting,” suggests Rich, “if companies start pushing back on some of these aggressive remedies.”
Children’s privacy likely to play key role in new federal privacy law
Zweifel-Keegan notes that historically, the FTC has been highly active on children’s privacy. The Children’s Online Privacy Protection Act granted specific rulemaking and enforcement authority over children’s privacy issues. And in 2019 the FTC began the process of updating COPPA.
“Children’s privacy is its own animal, says Raab. “It’s a sector but it’s also a kind of microcosm of privacy because it ties in with everything: education, healthcare, sports, all of it.”
But what is particularly unique about children’s privacy is “who’s allowed to give consent and what’s allowed to be held.”
As any parent knows, children’s data starts to be put out there before a child is born and on through their life. Data for which they had no input and were incapable of giving consent. At what point does the child or an individual get control of their own personal data that’s been out in the universe?
—Susan Raab, Customer Data Platform Institute
“The reason Education Technology (EdTech) is so important is that it is a giant black hole when it comes to protecting children’s data. There are lots of ways in, and a lot of people know it. It’s the weakest link in the data ecosystem.”
Importantly, reminds Raab, “if you can get children’s data, you can get the whole family’s data as well. A lot of places think they don’t need to worry because they don’t deal with children. But in fact, every company holds children’s data, if in no other place but in human resources, so it’s very complicated.”
“From a legislative perspective,” says Berkowitz, Senate Commerce Committee members Richard Blumenthal and Marsha Blackburn could not be further apart…but have come together on the Kid’s Online Safety Act (S.3663) that was introduced in February.
Raab points out that Senators Markey and Cassidy also have their own bills that looks to evolve COPPA. “It’s going to be interesting to see where things go from here.”
Teens don’t care about privacy
Part of the Children’s and Teen Online Privacy Protection Act (S.1628), notes Raab, is to “capture the tween category the 13 to 15 category. But even trying to manage the privacy needs for young people of one age are different than the need over time.
“Once you start to hit ages where youth can participate in it, where the children give consent, and you know this migrates on through. With children, you always have different gatekeepers whether it’s a teacher or a parent or caregiver. Plus, you have the children themselves.
I was involved in COPPA in its early stages and later. The FTC – not that it had control over this –when asked whether COPPA should be extended to teens said the consent model doesn’t really work well with teens because they don’t care.
—Jessica Rich, Kelly Drye
“They certainly don’t want their parents giving consent for them,” continues Rich, “so when it came to actually standing COPPA, there wasn’t a lot of support for it. Now we have these bills that are more about age-appropriate codes: don’t serve up toxic content to teens and needing to ‘know’ who you’re dealing with.
“Maybe get consent from them or their parents for certain uses of data, but it’s complicated and it’s not easy when it comes to teens. “I do think it’s important that any protections that apply to adults in a large bill like the ADPPA apply to everyone and that there’s additional protections for teens and kids.”
The knowledge standard
“There was a hearing…an active discussion about the ‘knowledge standard’ and how a company can know they’re dealing with a child or a teen, relates Rich.
“And what they put out [in the ADPPA] is a draft that settled on ‘knowing.’” What knowing means exactly is a concept, as Rich notes, on which the courts have opined.
“This gets to what companies can know, what do they want to know, and, sometimes, what they want to know is not so much if it gets in the way of what they want to do,” said Jessica Rich.
When you’re thinking about the children’s components and some of the new rules that are going to be around duty of loyalty and data minimization, there is a consensus that this is a growing problem. We also need to think about how we want to manage it from a from a risk perspective.
—Jeremy Berkowitz, BDO
How all of this plays out, and when (and if) federal privacy laws finally arrive, one thing is certain. “In terms of the trajectory of how far we’ve come it’s incredible,” opines Rich. “Privacy has arrived for Republicans and Democrats. For businesses and for consumers, it’s a huge shift.”