American Data Dissemination Act of 2019March 2019
The American Data Dissemination Act, proposed by Sen. Marco Rubio, is a step in the right direction for privacy legislation. It seeks a simple and straightforward framework, based on pre-existing federal laws including the Privacy Act of 1974, HIPAA, FERPA, COPPA, Gramm-Leach-Bliley and the Fair Credit Reporting Act. It delegates significant rule-making to the FTC, particularly regarding consumers’ right to access and correct data. It also recognizes the need for one federal law rather than multiple, potentially inconsistent state laws.
The ADD Act would be improved by the addition of notice and consent standards which are critical to modern privacy laws.
The bill earns points for its clear drafting and practical approach. Some may question its broad deference to the FTC, but others may consider this a practical solution that accounts for the risk of Congressional inaction. We scored the bill optimistically because we anticipate the Commission’s influence on the legislation and final regulations will be positive.
It receives a grade of 57/100.
The American Data Dissemination Act (ADD Act) has two main components: first, it imposes deadlines for privacy regulation to occur; and second, it provides some general contours (perhaps too general) for that regulation. It delegates significant rule-making authority about key privacy standards to the Federal Trade Commission (the FTC). More specifically,
1. The ADD Act sets a firm timetable for Congress to either enact federal privacy legislation or to alternatively (and passively if additional legislation does not pass) grant broad regulatory authority to the FTC. Moreover, the Act provides that regulations it authorizes will broadly preempt state privacy laws. In order to encourage legislation, the FTC would:
- In six months, propose “privacy requirements” for Congressional consideration as legislation;
- In an additional 12-15 months, submit to Congress “detailed recommendations” (that could essentially be draft regulations) regarding those privacy requirements; and
- If Congress does not enact similar legislation within 12-15 months of receiving the “detailed recommendations” (totaling no more than 27 months after enactment of the ADD Act), publish “final regulations” that impose those privacy requirements.
2. As for general contours of regulation, in the absence of more detailed legislation the ADD Act provides that federal privacy regulation will utilize the framework of the Privacy Act of 1974; will exempt activities that are already covered by industry-specific statutes governed by the FTC (notably the health care and education industries and potentially the financial and digital publishing industries); will exempt small businesses; and will preempt many state laws or their relevant provisions.
The Act provides a useful start in how to think about access to and deletion of personal information held by companies and has several key characteristics of a reasonable and enforceable federal privacy bill. Perhaps surprisingly, the ADD Act does not directly address consumer notice and consent or require FTC regulations to address those issues. (Nevertheless, the FTC could address those issues, if they think the Privacy Act provides enough relevant guidance.) Nor does it address whether any particular categories of data should be deemed sensitive and subject to higher levels of care, notice or consent. Some may think these omissions make the ADD Act insufficiently comprehensive to satisfy consumer concerns about privacy, but the omissions may empower the FTC to regulate broadly and satisfy many constituencies.
Clear Terms: Terminology should be clear to avoid confusion, inconsistency and disputes. [Score: 7/10]
Specific Harms: Legislation should focus on specific harms and outcomes. [Score: 5/10]
Helpful Processes: Required processes and notices should be clearly defined and helpful. [Score: 5/10]
Notably, the ADD Act’s requirement for rules to permit consumers to “amend” their records may be unnecessary as the Fair Credit Reporting Act already permits consumers to make corrections (e.g., when records may be used to determine eligibility for credit, tenancy, employment or insurance).
Not Retroactive: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data. [Score: 5/10]
Not Harmful: Legislation should not inhibit beneficial data models and uses. [Score: 6/10]
Free Speech: Legislation should not inhibit freedom of expression or government transparency. [Score: 5/10]
Simple Consents: Consent standards should be clear for organizations and promote clarity for consumers. [Score: 3/10]
International Commerce: International commerce and cooperation should not be inhibited. [Score: 7/10]
Fair Enforcement: Enforcement provisions should be responsible and trustworthy; not chilling or anti-competitive. [Score: 7/10]
Small Enterprises: Small organizations should not be prejudiced by impractical or anti-competitive burdens. [Score: 7/10]
“9-10” means the legislation thoughtfully accounts for the concern.
“7-8” means that, with adjustments, it can likely account for the concern.
“5-6” means it is neutral on the matter, or that any concerns can be readily cured or mitigated.
“3-4” means that causes confusion or concern, but not in as widespread a manner as a “1” rating.
“1-2” means that it is poorly drafted or considered, and likely generates more confusion or problems than it cures.