New Privacy Bill Provides Opt-Out Rights and New Data Security Requirements | Inside Privacy
New Privacy Bill Provides Opt-Out Rights and New Data Security Requirements
By Andrew Longhi, Jayne Ponder and Libbie Canter on May 26, 2021
POSTED IN CONGRESS, FEDERAL TRADE COMMISSION
To add to the growing list of federal privacy frameworks introduced this year, Senator Amy Klobuchar (D-MN) has re-introduced the bipartisan Social Media Privacy Protection and Consumer Rights Act of 2021 (S. 1667). Senator Klobuchar introduced the bill originally in 2018 and 2019, although it did not advance to committee in either instance. Senators Kennedy (R-LA), Burr (R-NC), and Manchin (D-WV) have co-sponsored the bill.
Key provisions in this bill include:
Covered Entities and Data: The bill applies to websites and mobile applications, including social networks, that collect personal data while consumers use their online platforms. The definition of personal data expressly encompasses data governed by the Health Insurance Portability and Accountability Act (“HIPAA”) and the Gramm-Leach-Bliley Act (“GLBA”).
Required Privacy Choices: Online platforms must provide users with the option to specify their privacy preferences, which may be done by agreeing to the terms of use for the online platform.
Consent for New Products and Changes to the Program: Platforms may not introduce new products or change the data privacy or security program in a way that overrides the privacy preferences of users unless they inform users of the change and obtain their “affirmative express consent,” a term which is not defined by the proposal.
Access Rights: If requested by the user, platforms must offer free of charge a copy of the personal data that they processed in an electronic and easily accessible format, including a list of each person that received the user’s data.
Breach Notification: The bill mandates that online platforms notify users within 72 hours that their personal data has been transmitted in violation of the online platform’s privacy or security program, including transmissions in violation of the user’s privacy preferences. Online platforms must also offer users the option to prohibit the operator from collecting and using their information further and delete their personal data.
Accountability: The proposal also requires that covered entities have privacy programs in place, and audit the program at least every two years.
Enforcement: The bill empowers the Federal Trade Commission (“FTC”) to enforce its provisions. It also grants state attorneys general and other state consumer protection officers enforcement authority should the FTC decide not bring a civil action of its own.
Unlike some of the other proposals this year, including the Information Transparency and Personal Data Control Act, this bill does not preempt state privacy laws. Also, it does not provide consumers a private right of action.
The text of the bill will be available here. We will continue to monitor legislative developments on this front.
By Andrew Longhi, Jayne Ponder and Libbie Canter on May 26, 2021
POSTED IN CONGRESS, FEDERAL TRADE COMMISSION
To add to the growing list of federal privacy frameworks introduced this year, Senator Amy Klobuchar (D-MN) has re-introduced the bipartisan Social Media Privacy Protection and Consumer Rights Act of 2021 (S. 1667). Senator Klobuchar introduced the bill originally in 2018 and 2019, although it did not advance to committee in either instance. Senators Kennedy (R-LA), Burr (R-NC), and Manchin (D-WV) have co-sponsored the bill.
Key provisions in this bill include:
Covered Entities and Data: The bill applies to websites and mobile applications, including social networks, that collect personal data while consumers use their online platforms. The definition of personal data expressly encompasses data governed by the Health Insurance Portability and Accountability Act (“HIPAA”) and the Gramm-Leach-Bliley Act (“GLBA”).
Required Privacy Choices: Online platforms must provide users with the option to specify their privacy preferences, which may be done by agreeing to the terms of use for the online platform.
Consent for New Products and Changes to the Program: Platforms may not introduce new products or change the data privacy or security program in a way that overrides the privacy preferences of users unless they inform users of the change and obtain their “affirmative express consent,” a term which is not defined by the proposal.
Access Rights: If requested by the user, platforms must offer free of charge a copy of the personal data that they processed in an electronic and easily accessible format, including a list of each person that received the user’s data.
Breach Notification: The bill mandates that online platforms notify users within 72 hours that their personal data has been transmitted in violation of the online platform’s privacy or security program, including transmissions in violation of the user’s privacy preferences. Online platforms must also offer users the option to prohibit the operator from collecting and using their information further and delete their personal data.
Accountability: The proposal also requires that covered entities have privacy programs in place, and audit the program at least every two years.
Enforcement: The bill empowers the Federal Trade Commission (“FTC”) to enforce its provisions. It also grants state attorneys general and other state consumer protection officers enforcement authority should the FTC decide not bring a civil action of its own.
Unlike some of the other proposals this year, including the Information Transparency and Personal Data Control Act, this bill does not preempt state privacy laws. Also, it does not provide consumers a private right of action.
The text of the bill will be available here. We will continue to monitor legislative developments on this front.
