Developments in eCommerce, Privacy, Internet Advertising, Marketing and Information Services Law and Policy
In this issue we review the bipartisan formation of the Senate Artificial Intelligence Caucus, the response letter from the Chairman of the Federal Trade Commission (FTC) regarding protecting consumers' data privacy and security, and the Senate Commerce Subcommittee's hearing, "Small Business Perspectives on a Federal Data Privacy Framework." We examine the FTC's hearings 11 and 12 in the series on "Competition and Consumer Protection in the 21st Century" and the FTC's review of broadband providers' privacy practices. We also report on an amendment to the California Consumer Privacy Act (CCPA) that would provide clarity to the definition of "consumer." We cover the conference on data breaches held by the European Data Protection Supervisor (EDPS) and the European Union Agency for Network and Information Security (ENISA), and the European Commissioner's address on data matters at the Ninth Annual European Data Protection and Privacy Conference. Finally, we discuss a beta test launched by the United Kingdom's Information Commissioner's Office (ICO) and a report, "Online Harms White Paper," presented to the UK Parliament.
Heard on the Hill
- Bipartisan Senate Artificial Intelligence Caucus Formed
- FTC Chairman Simons Addresses How the Commission Would Use Additional Resources to Protect Consumers' Data Privacy and Security
- Senate Commerce Subcommittee Holds Hearing on Small Business Perspectives on a Federal Data Privacy Framework
Around the Agencies
- FTC Holds Hearings 11 and 12 in Series on "Competition and Consumer Protection in the 21st Century"
- FTC Reviews Broadband Providers' Privacy Practices
In the States
- European Data Protection Super-Regulators Hold Joint Conference on Data Breaches
- European Commissioner Addresses Data Matters at 9th Annual European Data Protection and Privacy Conference
- UK's ICO Initiates "Beta Phase" of Regulatory Sandbox
- UK Government Issues White Paper on Online Harms
Heard on the Hill
On March 13, 2019, Sen. Rob Portman (R-OH) and Sen. Martin Heinrich (D-NM) announced their formation of the Senate Artificial Intelligence (AI) Caucus. The Senate AI Caucus's membership also includes Sen. Brian Schatz (D-HI), Sen. Cory Gardner (R-CO), Sen. Gary Peters (D-MI), and Sen. Joni Ernst (R-IA). The new caucus is a counterpart to the House Congressional AI Caucus, which was launched in May 2017 and is currently co-chaired by Rep. Pete Olson (R-TX) and Rep. Jerry McNerney (D-CA).
According to Sen. Portman, the objective of the Senate AI Caucus is to facilitate connections between members and staff of the Senate, executive branch officials, and individuals in the private sector and academia with AI expertise, and to formulate policies that maintain "ethical standards" and balance potential risks and benefits of AI.
In his announcement of the caucus's formation, Sen. Portman notes that the Senate AI Caucus is complementary to the White House's American AI Initiative. The American AI Initiative was established in February 2019 as a result of President Donald Trump's signature of an executiveorder on Maintaining American Leadership in Artificial Intelligence, which directs federal agencies to prepare the workforce for changes brought about by AI and to "promote and protect developments in AI."
To date, the Senate AI Caucus has not launched an official website or announced any scheduled events or initiatives.
On March 20, 2019, House Committee on Energy and Commerce (Committee) Chairman Frank Pallone (D-NJ) and Chair of the Committee's Subcommittee on Consumer Protection and Commerce (Subcommittee) Jan Schakowsky (D-IL) sent a letter to Federal Trade Commission (FTC) Chairman Joseph Simons inquiring how the FTC would use new funding to protect consumers' data privacy and security. Specifically, Committee Chairman Pallone and Subcommittee Chair Schakowsky asked, among other questions: (1) what resources would the FTC need to "dramatically" advance its data privacy and security enforcement activity; how the FTC would assign different amounts of funding for its work on data privacy and security; and (3) whether the FTC would require additional resources if Congress were to grant the FTC notice-and-comment rulemaking authority pertaining to data privacy and security.
FTC Chairman Simons responded in a letter to Committee Chairman Pallone dated April 1, 2019. In his letter, FTC Chairman Simons stated that with additional resources, the FTC would hire additional staff to: (1) expand enforcement of existing privacy laws, including the Children's Online Privacy Protection Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act; (2) expand enforcement of the EU-U.S. Privacy Shield; (3) enhance work on compliance reviews of the FTC's data privacy and security orders; and (4) create a new unit to advance FTC "policy, case generation, and targeting" with respect to data privacy and security matters. He noted that the FTC would need additional funding if it received data privacy and security notice-and-comment rulemaking authority, and he expressed support for the enactment of federal legislation that would provide the FTC with civil penalty authority for data privacy and security violations, as well as Administrative Procedure Act rulemaking authority.
On March 26, 2019, the Senate Committee on Commerce, Science, and Transportation's (Committee) Subcommittee on Manufacturing, Trade, and Consumer Protection (Subcommittee) convened a hearing, "Small Business Perspectives on a Federal Data Privacy Framework." Subcommittee members and witnesses discussed aspects of a potential federal data privacy framework, including preemption, digital advertising, civil penalties, exceptions, and Federal Trade Commission (FTC) authority, among other topics. The hearing, a follow-up from a February Committee hearing on the principles of a federal data privacy framework, demonstrates the Subcommittee's continued interest in crafting a federal privacy law.
Opening statements by Subcommittee members focused on the need for bipartisan support for a federal privacy framework.
The hearing featured five witnesses representing business, consumer advocacy, and technology policy organizations. Witnesses' opening statements expressed support for uniformity of law and addressed the impact of onerous requirements and fines on small companies with limited resources. During questioning, all five witnesses expressed support for uniform federal legislation and for a federal privacy framework to preempt state law. Witnesses expressed different views regarding whether businesses should be subject to civil penalties for first-time offenses, with most witnesses who said they supported such penalties suggesting that the penalties be adjusted to fit either the harm caused by the violation or graduated based on other metrics.
When asked about how a federal privacy framework should address de-identified and aggregate data, the consumer advocacy and technology policy representatives both supported exceptions for this type of data. The witnesses were united in their support for Congress to provide the FTC with additional resources, rulemaking authority, and primary privacy enforcement authority.
Witnesses also expressed support for state attorneys general to have privacy enforcement authority, as long as the FTC provides them with interpretation and enforcement guidelines.
Around the Agencies
On March 25-26, 2019 and April 9-10, 2019, the Federal Trade Commission (FTC) convened its eleventh and twelfth hearings in its ongoing hearing series on "Competition and Consumer Protection in the 21st Century." Hearing 12, "The FTC's Approach to Consumer Privacy," addressed privacy frameworks, approaches to harm and consumer injury, digital advertising, sensitivity of data, and the FTC's authority. Hearing 11, "The FTC's Role in a Changing World," explored the FTC's role internationally.
During opening remarks for hearing 12, FTC Chairman Joseph Simons discussed the positives and negatives of data collection and expressed support for evaluating the FTC's approach to privacy in a shifting world. During two days of panels, speakers expressed support for different goals associated with privacy regulation, including: (1) increasing competition; (2) preventing harm; improving consumer transparency and control over data; and (4) managing consumer expectations.
On the topic of potential federal privacy legislation, panelists discussed the merits and challenges of a new federal privacy law. Several panelists expressed support for the FTC to play a role in developing federal privacy legislation and for a federal privacy law to preempt state laws. One panelist cautioned that if Congress does not preempt state laws, only the largest companies will be able to achieve compliance with state laws. Former FTC Chairman Jon Leibowitz stated that Congress will be unlikely to pass preemptive legislation unless it includes strong privacy legislation.
When discussing the potential for a new federal privacy law, Venable Chairman and Partner Stu Ingis discussed the recently launched coalition, Privacy for America. Mr. Ingis stated that Privacy for America is proposing a "New Paradigm" that would establish a framework that: (1) outlines specific prohibitions against discriminatory practices; (2) defines practices that benefit consumers, such as advertising; and (3) creates an FTC Bureau of Data Protection.
Previously, at hearing 11, invited speakers and FTC officials discussed the following topics, among others: (1) approaches to U.S. data privacy protection; (2) global data privacy frameworks; (3) the FTC's international role; and (4) international cooperation on data and privacy matters. One main topic of discussion was the U.S. SAFE WEB Act ("SAFE WEB"), which amended the FTC Act and provides the FTC with enforcement tools regarding consumer protection matters, particularly those with an international dimension. During opening remarks, FTC Director Randolph Tritell expressed support for SAFE WEB, stating that it facilitates cooperation between the FTC and its international counterparts, and helps counter fraud and promote fair investigative practices and sound enforcement. FTC Chairman Simons noted that SAFE WEB expires in 2020 and called for its renewal.
During the hearing, panelists also considered the benefits and challenges to the FTC's formal and informal cooperation with its international counterparts. With respect to investigating cross-border consumer protection cases, one panelist characterized privacy laws as a challenge to international cooperation. The panelist added that establishing a common definition of confidential information may help address this challenge. When noting the benefits of international cooperation, another speaker cited increased efficiencies, sharing of best practices, detection and deterrence of anticompetitive conduct, and certainty for businesses and agencies as examples.
The FTC's thirteenth and most recent hearing, "Merger Retrospectives," was held on April 12, 2019. The FTC has no future hearings scheduled in its series on Competition and Consumer Protection in the 21st Century.
On March 26, 2019, the Federal Trade Commission (FTC) announced it had issued orders, pursuant to its authority under Section 6(b) of the FTC Act, to seven Internet broadband providers and related entities requesting information about their privacy practices. According to the FTC, the orders are intended to enable the FTC to study these companies' privacy practices as they increasingly offer advertising-supported content in addition to communication services. The announcement included a sample copy of the order, which contains requests for information about the companies' practices relating to: (1) the collection, retention, use, and disclosure of personal information; (2) the notices and disclosures provided to consumers; (3) the companies' consent and choice practices; and (4) the extent to which the companies permit consumers to access, correct, and delete their personal information. The orders were issued by a unanimous vote and require each company to file a report with the FTC within 45 days of the date of service.
Along with the announcement, the FTC published a generic sample order containing requests for a variety of information and materials within the topics listed above. For example, it requests information about the categories of personal information each company collects, the sources of this personal information, the purpose for which this information is used, whether the information is shared with third parties, and how long the information is retained. The sample order also asks for information about each company's de-identification and aggregation practices, whether the companies offer consumers choice with respect to their privacy practices, and whether each of the companies has denied or degraded service to consumers who do not permit the company to collect their personal information.9 The order further requests copies of each company's consumer notices and disclosures relating to their data collection practices.
The FTC will review the information it receives from these companies, but it has not identified any other next steps that will follow its receipt of the requested reports.
In the States
On April 12, 2019, California Assembly Member Ed Chau (D-49), along with California State Senators Bill Dodd (D-03) and Robert Hertzberg (D-18), introduced an amendment to the California Consumer Privacy Act (CCPA), AB-25, which would provide clarity to certain provisions of the CCPA. The CCPA, among other requirements, will give consumers new rights to access the personal information businesses collect about them, request that businesses delete such information, and opt out of the "sale" of such information to third parties.1 The CCPA will be effective on January 1, 2020. The new consumer rights created by the law will be enforced by the California Attorney General (AG) beginning six months after the publication of the final regulations interpreting the CCPA or July 1, 2020, whichever is sooner.2
The amendments here offer to clarify that the CCPA's definition of "consumer" does not apply to employee personal data processed by employers for business purposes. The CCPA defines "consumer" as "a natural person who is a California resident … including by any unique identifier."3AB-25 clarifies that employee data is meant to be excluded from the definition of consumer by adding the following text: "Consumer does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of the person's activities for the business as a job applicant, employee, contractor, or agent of the business."
On April 23, 2019, AB-25 was approved unanimously by the California Assembly Committee on Privacy and Consumer Protection and referred to the Assembly Appropriations Committee.
On April 4, 2019, the European Data Protection Supervisor (EDPS) and the European Union Agency for Network and Information Security (ENISA) held a joint conference in Belgium on assessing the risk of personal data breaches. EDPS is an independent data protection authority that supervises and monitors European Union (EU) institutions and advises them on personal data protection and privacy. ENISA is a center for cybersecurity expertise that provides recommendations and standards to EU institutions, supports policy-making and policy application, and works in partnership with cybersecurity teams throughout the EU.
The joint EDPS-ENISA conference was organized to gather the thoughts and experiences of regulators, data controllers, and data processors regarding data breach notification practices under the General Data Protection Regulation (GDPR) and European Data Protection Regulation (EDPR). The conference consisted of three panel discussions and an exchange of views between ENISA and EDPS. The panel discussions are summarized below.
Panel Discussion I – Personal Data Breaches Under GDPR and EDPR and Experience Gained So Far
Panel I was moderated by Thomas Zerdick of EDPS and consisted of the following panelists: Max Rozendaal of Autoriteit Persoonsgegevens, the Dutch data protection authority; Niall Cavanagh of the Office of the Data Protection Commissioner, the Irish data protection authority; and Giuseppe D'Acquisto of Garante per la protezione dei dati personali, the Italian data protection authority. The panelists provided information about GDPR implementation and discussed the regulation in the context of data breach notification practices. Mr. Rozendaal commented on sources of data breaches, such as human error and notices sent to incorrect addresses, as well as the nature of data that can become the subject of a breach (i.e., online identities and special categories of data). Mr. Cavanagh discussed statistics for breaches in his country since the effective date of the GDPR, as well as regulator and data subject notification. He reported that breaches have resulted from unauthorized disclosures, cyber incidents, lost or stolen devices, lost or stolen papers, and other events. He noted that 65% of Ireland's breaches occurred in the private sector and 35% of breaches occurred in the public sector. Finally, Mr. D'Acquisto conveyed that breach notification provides individuals with important knowledge on unknown incidents, enhances their trust in digital services, and is a vital part of protecting individual rights in the data economy.
Panel Discussion II – Personal Data Breaches Management: Processes and Procedures
Prokopios Drogkaris of ENISA moderated Panel II, which consisted of panelists with expertise in data security, law, policy, and financial auditing. Among other topics, the panelists addressed the importance of incident response plans, breach notification templates, and data incident policies, emphasizing the GDPR's 72-hour time frame for breach notification and the need to update incident response plans to account for lessons learned after dealing with a breach. The panelists also discussed problems associated with "shadow IT" and "shadow data," which they noted cause particular GDPR-related concerns. "Shadow IT" refers to unauthorized apps used by employees within organizations without their information technology department's knowledge. "Shadow data" refers to the information those apps process. Panelists discussed that use of these apps by employees pose difficult questions in relation to GDPR compliance, specifically with respect to the regulation's required security measures, duties regarding transparency, and cross-border data transfer mandates.
Panel Discussion III – Supporting Data Controllers on Assessing the Risk of a Personal Data Breach
The conference's final panel was moderated by Athena Bourka of ENISA and consisted of panelists from EDPS, law firms, and EU-based human rights agencies. Fernando Silva of the Comissão Nacional de Protecção de Dados, the Portuguese data protection authority, also served on the panel. The panelists noted that assessing the risk of a personal data breach must be done on a case-by- case basis, and the assessment must objectively analyze and consider the nature of the breach, volume of data affected, sensitivity of the data, and context in which the breach occurred. The panelists also emphasized the importance of documenting the steps taken to assess risk in a log, and the role of data protection impact assessments in evaluating risk.
On March 20, 2019, Věra Jourová, European Commissioner for Justice, Consumer Rights, and Gender Equality (Commissioner), delivered a speech at the Ninth Annual European Data Protection and Privacy Conference. In her speech, she addressed the global discussion on privacy and the lessons learned from the first ten months of enactment of the GDPR.
The Commissioner noted that countries around the world are adopting a privacy approach similar to that of the European Union's (EU) framework. Specifically, she noted that the various approaches generally contain three similar features: (1) an overarching privacy law; (2) safeguards and rights included within that law; and (3) an independent supervisory authority. She stated that similarity in rules permits a free data flow, and added that the EU and Japan recently entered into an adequacy finding, creating "the world's largest area of free and safe data flows." She stated that while the EU values U.S. commitment to the Privacy Shield, she wanted the United States to work with the EU to set global standards.
The Commissioner also indicated that, within the first ten months of enactment of the GDPR, the following lessons have been learned:
- Preparing for compliance with the GPDR has allowed companies to evaluate their data practices, develop a better sense of the data they hold, and create a more trusting relationship with consumers
- While small businesses have indicated that they have struggled to comply with the GDPR, the Commissioner believes that these issues were a result of misunderstandings regarding the scope of requirements that apply to small businesses. To address these misunderstandings, she indicated that the European Commission has provided various resources, including an online GDPR toolkit
- Regarding data protection authorities (DPAs), she noted that it has become clear that fines are only one of the tools available to DPAs, and that fines will be used only after a thorough investigation and on the basis of the specific facts of the case
She concluded by noting that the European Commission will evaluate the application of the GDPR during its first year in an event held in June 2019. She added that the European Commission will report on the application of the GDPR in 2020.
On March 29, 2019, the United Kingdom's Information Commissioner's Office (ICO) launched a beta test of its "sandbox" environment to support tests of new products and services that use personal data for a "demonstrable public benefit." The ICO's goal with the sandbox is to allow participating developers to partner with ICO specialists in developing products and services that comply with the UK's various data protection rules. The ICO hopes that the sandbox will allow innovation, while giving developers comfort that their testing process will not result in an enforcement action, and possibly increase consumer trust in the development process. The beta phase is slated to end in September 2020, and applications are due no later than May 24, 2019. The ICO will accept applications for the sandbox program from developers to participate in the sandbox environment. The ICO states that participation in the sandbox program is free in its beta phase, and that it offers a "free, professional, fully functioning service for approximately 10 organizations" of different types and sizes across different areas of industry. The ICO states that it hopes to engage with start-ups, micro, small, and medium-sized organizations, and large companies across the public, private, and nonprofit sectors.
The ICO plans to assess applicants based on the product or service being developed, specifically how innovative it is, and whether it can provide a demonstrable public benefit. For this purpose, the ICO is evaluating public benefit based on the breadth, or number of people impacted, and the depth, or the amount of benefit provided. The ICO anticipates that the beta process will aid its development of public guidance and resources for data protection. It notes that successful entities will receive an on-site visit from a dedicated ICO team member to develop the sandbox integration.
On April 8, 2019, the UK Secretary of State for Digital, Culture, Media & Sport and the UK Secretary of State for the Home Department presented a report, "Online Harms White Paper," to the UK Parliament. The Online Harms White Paper focuses on preventing illegal and unacceptable content and activity online, in particular illegal and unacceptable content and activity on social media platforms, file-hosting sites, public discussion forums, messaging services, and search engines. Among other topics, the Online Harms White Paper presents a new regulatory framework for online safety and comments on the role of technology and awareness to discourage online behavior that threatens national security and the safety of children.
To address problems such as the spread of online propaganda, the sale of illegal goods, the incitement of violence, disinformation, and bullying, the Online Harms White Paper sets out a vision for a new regulatory framework, which would include new rules and an independent regulator to discourage such activities. In particular, the government intends to establish a new statutory duty of care to make companies take more responsibility for the safety of their users. All companies in scope would need to be able to show that they are fulfilling their duty of care, including updating relevant terms and conditions, creating easy-to-use consumer complaint mechanisms, and making terms clear and accessible, including to children and other vulnerable users. Compliance with this duty of care would be overseen and enforced by an independent regulator. The regulator would establish codes of conduct and have the power to levy fines.
According to the Online Harms White Paper, the government would collaborate with industry and civil society to develop a safety-by-design framework that would work with existing legal obligations around data protection-by-design and secure-by-design principles. According to the paper, the government also would develop a new online media literacy strategy to improve online media literacy education and awareness for children, young people, and adults.
The Online Harms White Paper sets out the government's proposed approach, and asks a series of questions about the design of the new regulatory framework. Public comments on the paper will be accepted until July 1, 2019.