Data Protection Policy Analysis

American Data Dissemination Act of 2019

March 2019
57
/100 score
Clear Terms Specific Harms Helpful Processes Not Retroactive Not Harmful Free Speech Simple Consents International Commerce Fair Enforcement Small Enterprises 7/10 5/10 5/10 5/10 6/10 5/10 3/10 7/10 7/10 7/10

SUMMARY

The American Data Dissemination Act, proposed by Sen. Marco Rubio, is a step in the right direction for privacy legislation. It seeks a simple and straightforward framework, based on pre-existing federal laws including the Privacy Act of 1974, HIPAA, FERPA, COPPA, Gramm-Leach-Bliley and the Fair Credit Reporting Act. It delegates significant rule-making to the FTC, particularly regarding consumers’ right to access and correct data. It also recognizes the need for one federal law rather than multiple, potentially inconsistent state laws.

The ADD Act would be improved by the addition of notice and consent standards which are critical to modern privacy laws.

The bill earns points for its clear drafting and practical approach. Some may question its broad deference to the FTC, but others may consider this a practical solution that accounts for the risk of Congressional inaction. We scored the bill optimistically because we anticipate the Commission’s influence on the legislation and final regulations will be positive.

It receives a grade of 57/100.

DETAILS

The American Data Dissemination Act (ADD Act) has two main components: first, it imposes deadlines for privacy regulation to occur; and second, it provides some general contours (perhaps too general) for that regulation. It delegates significant rule-making authority about key privacy standards to the Federal Trade Commission (the FTC). More specifically,

1. The ADD Act sets a firm timetable for Congress to either enact federal privacy legislation or to alternatively (and passively if additional legislation does not pass) grant broad regulatory authority to the FTC. Moreover, the Act provides that regulations it authorizes will broadly preempt state privacy laws. In order to encourage legislation, the FTC would:

  • In six months, propose “privacy requirements” for Congressional consideration as legislation;
  • In an additional 12-15 months, submit to Congress “detailed recommendations” (that could essentially be draft regulations) regarding those privacy requirements; and
  • If Congress does not enact similar legislation within 12-15 months of receiving the “detailed recommendations” (totaling no more than 27 months after enactment of the ADD Act), publish “final regulations” that impose those privacy requirements.

2. As for general contours of regulation, in the absence of more detailed legislation the ADD Act provides that federal privacy regulation will utilize the framework of the Privacy Act of 1974; will exempt activities that are already covered by industry-specific statutes governed by the FTC (notably the health care and education industries and potentially the financial and digital publishing industries); will exempt small businesses; and will preempt many state laws or their relevant provisions.

The Act provides a useful start in how to think about access to and deletion of personal information held by companies and has several key characteristics of a reasonable and enforceable federal privacy bill. Perhaps surprisingly, the ADD Act does not directly address consumer notice and consent or require FTC regulations to address those issues. (Nevertheless, the FTC could address those issues, if they think the Privacy Act provides enough relevant guidance.) Nor does it address whether any particular categories of data should be deemed sensitive and subject to higher levels of care, notice or consent. Some may think these omissions make the ADD Act insufficiently comprehensive to satisfy consumer concerns about privacy, but the omissions may empower the FTC to regulate broadly and satisfy many constituencies.

Criteria

Clear Terms: Terminology should be clear to avoid confusion, inconsistency and disputes. [Score: 7/10]
Key terms, such as “collect,” “covered provider” “disclose” and “record” are reasonably well defined. Some terms are defined a bit broadly in nature, they are not overly vague or subjective.
Specific Harms: Legislation should focus on specific harms and outcomes. [Score: 5/10]
The bill is a useful way to drive the regulatory process, but it defers identification of specific consumer harms (e.g., online tracking, invasive marketing, or lack of consumer notice) to the regulatory process. This contrasts favorably to some bills that propose requirement without identifying the harms being addressed, but it is favorable only to the point of being neutral.
Helpful Processes: Required processes and notices should be clearly defined and helpful. [Score: 5/10]
The bill does not define explicitly any processes or notices that will be required of data collectors, processors or consumers, but its deference to the Privacy Act and other pre-existing laws ensures that the FTC will have a body of case law to draw from. More specifically, the benchmark Privacy Act does not itself require comprehensive privacy policies but does generally require agencies to inform Americans why information is being collected from them, and how and for what purpose it will be used. The ADD Act would leave up to the FTC how (if at all) this requirement in the Privacy Act is translated into consumer privacy.
Notably, the ADD Act’s requirement for rules to permit consumers to “amend” their records may be unnecessary as the Fair Credit Reporting Act already permits consumers to make corrections (e.g., when records may be used to determine eligibility for credit, tenancy, employment or insurance).
Not Retroactive: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data. [Score: 5/10]
The legislation does not mandate any retroactive application although it leaves open the possibility that the FTC could create regulations that do.
Not Harmful: Legislation should not inhibit beneficial data models and uses. [Score: 6/10]
It does not appear that the ADD Act or regulations will inhibit beneficial data models and uses. However, this optimism is in part due to an expectation that the FTC in regulations will protect freedoms of expression, confidentiality, trade secrets and other privileges from consumers’ right to access data and records.
Free Speech: Legislation should not inhibit freedom of expression or government transparency. [Score: 5/10]
Because journalists and other media are not expressly exempted from being subject to the right of consumers to access information (in contrast to Europe’s GDPR which expressly protects journalism) – the ADD Act could inhibit freedom of expression unless the FTC carefully protects those rights. However, as noted above, the FTC is directed to create exceptions to the right of access – and we anticipate the Commission would protect First Amendment rights under those exceptions.
Simple Consents: Consent standards should be clear for organizations and promote clarity for consumers. [Score: 3/10]
The Act does not itself set out consent standards, but rather it relies on the Privacy Act as a benchmark. The Privacy Act does not require the government to have consent to collect information, but it does require explicit consent for sharing information. (Similarly, as noted above, the Privacy Act does not require comprehensive privacy policies but does generally require agencies to inform Americans why information is being collected from them, and how and for what purpose it will be used.) This framework seems inadequate for a national privacy law standard, but perhaps the FTC will use the Privacy Act only as a jumping-off point for developing more comprehensive consent standards.
International Commerce: International commerce and cooperation should not be inhibited. [Score: 7/10]
The Privacy Act only protects US citizens and permanent residents, so it is likely the ADD Act will be limited similarly and, thus, will not affect international commerce in a significant way.
Fair Enforcement: Enforcement provisions should be responsible and trustworthy; not chilling or anti-competitive. [Score: 7/10]
The enforcement provisions rely on the existing (and generally well-regarded) standards of the Federal Trade Commission Act. Alleged violations of ADD Act privacy regulations would be considered unfair and deceptive practices under the FTC Act, so they would not be subject to private right of action. The Act thoughtfully excludes from its scope companies already covered by HIPAA (health care providers) and FERPA (education providers) and instructs the FTC to reconcile the Act’s provisions with COPPA (which applies to collection of data from children) and the Gramm-Leach-Bliley Act (which applies to financial institutions).
Small Enterprises: Small organizations should not be prejudiced by impractical or anti-competitive burdens. [Score: 7/10]
By directing the FTC to exempt “certain small, newly formed covered providers,” the bill accounts for the fact that smaller organizations may be unfairly burdened by new rules, legal fees, and operational changes required by these laws. However, there may be alternative ways to accommodate new organizations, e.g., by providing that penalties shall reflect the amount of data an alleged violator was managing, or whether the alleged violator was appropriately relying on well-regarded service providers.

“9-10” means the legislation thoughtfully accounts for the concern.

“7-8” means that, with adjustments, it can likely account for the concern.

“5-6” means it is neutral on the matter, or that any concerns can be readily cured or mitigated.

“3-4” means that causes confusion or concern, but not in as widespread a manner as a “1” rating.

“1-2” means that it is poorly drafted or considered, and likely generates more confusion or problems than it cures.