Posted on August 16, 2010 by Tanya Forsheit

Yet Another Proposed Federal Data Security and Breach Notification Bill: Senators Rockefeller and Pryor Jump Into the Fray

Many of us have watched over the past few years as dozens of proposed federal data security and breach notification bills have been introduced, often with bipartisan support, but have failed to become law.  This year has seen many of the usual proposals.  For those of you keeping track, this year's bills include:  Rep. Rush's Data Accountability and Trust Act -- HR 2221; Sen. Leahy's Personal Data Privacy and Security Act - S. 1490; Sen. Feinstein's Data Breach Notification Act - S. 139; and Sens. Carper's and Bennett's "Data Security Act of 2010" - S. 3579.  However, 2010 has also seen new and expansive proposals for broad and far-reaching data privacy legislation, including Rep. Boucher's "discussion draft" and Rep. Rush's "Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act (or “BEST PRACTICES Act”)

Most recently, on August 5, Sens. Pryor and Rockefeller introduced the "Data Security and Breach Notification Act of 2010" - S. 3742 (hereinafter "S. 3742" or the "Act").  S. 3742 is much more akin to the more traditional proposed breach notification and data security legislation  mentioned above, and not nearly as ambitious as the draft Boucher Bill or the BEST PRACTICES Act.  This post summarizes the key provisions in S. 3742.

Who is Covered

The proposed legislation would apply to persons and entities over which the FTC has authority AND non-profits.

Definition of Personal Information

Interestingly, the proposed definition of personal information looks like the traditional definition used in this country and not the more expansive definitions proposed in the Boucher Bill and BEST PRACTICES ACT. The bill defines personal information as "an individual's first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual: (i) Social Security number. (ii) Driver's license number, passport number, military identification number, or other similar number issued on a government document used to verify identity. (iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual's financial account."

However, the bill would allow the FTC to modify this definition by rulemaking (a) for purposes of the information security program and information broker provisions to the extent that the modification would not unreasonably impede interstate commerce and would accomplish the purposes of this Act; or (b) for purposes of the breach notification requirements to the extent that the modification is necessary to accommodate changes in technology or practices, would not unreasonably impede interstate commerce, and would accomplish the purposes of this Act.

Preemption

S. 3472 would preempt any state law that expressly (1) requires information security practices and treatment of data containing personal information similar to any of those required by the bill; and (2) requires notification to individuals of a breach of security resulting in unauthorized access to or acquisition of data in electronic form containing personal information.  The Act also makes clear that no person other than State Attorneys General may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of the Act.

Information Security Policies, Procedures and Programs

Like several of the other proposed federal bills, S. 3742 would require the FTC to promulgate regulations to require every covered entity that owns or possesses data containing personal information, or contracts to have any third party entity maintain such data for such covered entity, to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information.  Reminiscent of some existing state and sectoral privacy and data security laws, this bill would require that such policies and procedures take into consideration (a) the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity; (b) the current state of the art in administrative, technical, and physical safeguards for protecting such information; and (c) the cost of implementing such safeguards. 

Such policies and procedures would include (a) a security policy with respect to the collection, use, sale, other dissemination, and maintenance of personal information; (b) the identification of an officer or other individual as the point of contact with responsibility for the management of information security; (c) a process for identifying and assessing any reasonably foreseeable vulnerabilities in the system or systems maintained by the covered entity, including regular monitoring for a breach of security; (d) a process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process, which might include implementing any changes to security practices and the architecture, installation, or implementation of network or operating software; (e) a process for disposing of data in electronic form containing personal information by shredding, permanently erasing, or otherwise modifying the personal information contained in such data to make such personal information permanently unreadable or indecipherable; and (f) a standard method or methods for the destruction of paper documents and other non-electronic data containing personal information.

All of this sounds very similar to the Gramm-Leach-Bliley Act and Massachusetts' data security regulations, 201 CMR 17.00 et seq. (which took effect in March of this year) and therefore should not come as a surprise to most national or multinational organizations.

Special Requirements for Information Brokers

Not unlike the Leahy bill, S. 1490, S. 3472 includes a number of provisions that impose additional burdens and requirements on the collection, use, and disclosure of information by "information brokers."  These requirements include accuracy, access, and dispute requirements similar to the Fair Credit Reporting Act's (FCRA) requirements for consumer reporting agencies.  Indeed, the bill explicitly provides that information brokers engaged in activities subject to FCRA and who are in compliance with sections 609, 610, and 611 of FCRA shall be deemed to be in compliance with certain of the bill's information broker provisions.

So the first question is - well, who is an "information broker"?  An "information broker" under the bill:

(A) means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity; and

(B) does not include a commercial entity to the extent that such entity processes information collected by or on behalf of and received from or on behalf of a nonaffiliated third party concerning individuals who are current or former customers or employees of such third party to enable such third party directly or through parties acting on its behalf to: (1) provide benefits for its employees; or (2) directly transact business with its customers.

The bill explicitly exempts from its information broker provisions "a service provider for any electronic communication by a third party to the extent that the service provider is exclusively engaged in the transmission, routing, or temporary, intermediate, or transient storage of that communication."

Information brokers would be required to submit their security policies to the FTC in conjunction with a notification of a breach of security or upon request of the Commission.  Further, for any information broker required to provide notification of a security breach, the proposed legislation gives the FTC authority to conduct audits of the information security practices of such information broker, or require the information broker to conduct independent audits of such practices (by an independent auditor who has not audited such information broker's security practices during the preceding 5 years).

In addition, information brokers would be required, with certain limited exceptions, to establish reasonable procedures to assure the maximum possible accuracy of the information they collect, assemble, or maintain regarding individuals other than information which merely identifies an individual's name or address. 

The bill also would require information brokers to provide to each individual whose personal information they maintain, at the individual's request at least one time per year and at no cost to the individual, and after verifying the identity of such individual, a means for the individual to review their information, and to place a conspicuous notice on their websites instructing individuals how to request access to such information and, as applicable, how to express a preference with respect to the use of personal information for marketing purposes.  (This refers to another portion of the bill that requires an information broker that maintains any information which is used, shared, or sold by such information broker for marketing purposes to, in lieu of complying with the normal access and dispute requirements, provide each individual whose information it maintains with a reasonable means of expressing a preference not to have his or her information used for such purposes. If the individual expresses such a preference, the information broker may not use, share, or sell the individual's information for marketing purposes.)

Whenever an individual whose information the information broker maintains makes a written request disputing the accuracy of any such information, the information broker, after verifying the identity of the individual making such request and unless there are reasonable grounds to believe such request is frivolous or irrelevant, would be required to correct any inaccuracy.  There are exceptions to the access and dispute requirements in certain limited circumstances.

Information brokers would also be required to establish measures which facilitate the auditing or retracing of any internal or external access to, or transmission of, any data containing personal information that they collect, assemble, or maintain.

The bill includes anti-pretexting provisions that would make it unlawful for an information broker to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, personal information or any other information relating to any person by (i) making a false, fictitious, or fraudulent statement or representation to any person; or (ii) providing any document or other information to any person that the information broker knows or should know to be forged, counterfeit, lost, stolen, or fraudulently obtained, or to contain a false, fictitious, or fraudulent statement or representation.

Breach Notification Requirements

The breach notification provisions of S. 3742 would require that any covered entity that owns or possesses data in electronic form containing personal information, not later than 60 days following the discovery of a breach of security of the system maintained by such covered entity that contains such data, (1) notify each individual who is a citizen or resident of the United States whose personal information was acquired or accessed as a result of such a breach of security; and (2) notify the FTC.  The bill requires that a covered entity notify the major national credit reporting agencies of the timing and distribution of the notices if the covered entity must provide notification to more than 5,000 individuals.  Such notice must be provided prior to distribution of the notices to affected individuals if it will not delay notice to those individuals.

Before discussing in detail the breach notification requirements, it is important to note a major exemption and presumption built into the bill.  There is a risk of harm threshold in this bill.  A covered entity is exempt from the requirements if, following a breach of security, such covered entity determines that there is "no reasonable risk of identity theft, fraud, or other unlawful conduct."  Significantly, and reminiscent of the breach notification provisions in the HITECH Act, if the data in electronic form containing personal information is rendered unusable, unreadable, or indecipherable through a security technology or methodology (if the technology or methodology is generally accepted by experts in the information security field), there would be a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the security technologies or methodologies in a specific case, have been or are reasonably likely to be compromised. 

It is clear that encryption is only one such technology or methodology anticipated by the bill.  The bill directs that, not later than one year after the date of the enactment and biannually thereafter, the Commission, after consultation with the National Institute of Standards and Technology (NIST), relevant industries, consumer organizations, and data security and identity theft prevention experts and established standards setting bodies, issue rules or guidance to identify security methodologies or technologies, such as encryption, which render data in electronic form unusable, unreadable, or indecipherable, that shall, if applied to such data, establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. 

The law would require provision of two years of credit monitoring services.  A covered entity required to provide notification must, upon request of an individual whose personal information was included in the breach of security, provide or arrange for the provision of, to each such individual and at no cost to such individual (A) consumer credit reports from at least one of the major credit reporting agencies beginning not later than 60 days following the individual's request and continuing on a quarterly basis for a period of 2 years thereafter; or (B) a credit monitoring or other service that enables consumers to detect the misuse of their personal information, beginning not later than 60 days following the individual's request and continuing for a period of 2 years.  (There is an exception if the only personal information which has been the subject of the security breach is the individual's first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code.)  As part of the FTC's obligation to promulgate regulations on breach notification, the FTC must "establish a simple process under which a covered entity that is a small business or small non-profit organization may request a partial waiver or a modified or alternative means of responding if providing or arranging for such reports, monitoring, or service is not feasible due to excessive costs relative to the resources of the small business or small non-profit entity and the level of harm to consumers caused by the data breach."

The notification to individuals must include:

(i) the date, estimated date, or estimated date range of the breach of security;

(ii) a description of the personal information that was acquired or accessed by an unauthorized person;

(iii) a telephone number that the individual may use, at no cost to such individual, to contact the covered entity to inquire about the breach of security or the information the covered entity maintained about that individual;

(iv) notice that the individual is entitled to receive, at no cost to such individual, consumer credit reports on a quarterly basis for a period of 2 years, or credit monitoring or other service that enables consumers to detect the misuse of their personal information for a period of 2 years, and instructions to the individual on requesting such reports or service from the covered entity, except when the only information which has been the subject of the security breach is the individual's first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code;

(v) the toll-free contact telephone numbers and addresses for the major credit reporting agencies; and

(vi) a toll-free telephone number and Internet website address for the Commission whereby the individual may obtain information regarding identity theft.

In the event of a breach of security of the system maintained by any third party entity contracted to maintain or process data in electronic form containing personal information on behalf of any other covered entity who owns or possesses such data, such third party entity would be required to notify the covered entity of the breach of security.

Interestingly, the bill includes special provisions for "service providers," defined as covered entities "that provide[] electronic data transmission, routing, intermediate and transient storage, or connections to [their] system or network, where the covered entit[ies] providing such services do[] not select or modify the content of the electronic data, [are] not the sender or the intended recipient of the data, and such covered entit[ies] transmit[], route[], store[], or provide[] connections for personal information in a manner that personal information is undifferentiated from other types of data that such covered entity transmits, routes, stores, or provides connections."  For breach notification purposes, the bill provides that, if a service provider becomes aware of a breach of security of data in electronic form containing personal information that is owned or possessed by another covered entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider is required to notify only the covered entity who initiated such connection, transmission, routing, or storage if such covered entity can be reasonably identified.

Notification of individuals may be delayed if a covered entity can show that providing notice within 60 days of discovery is not feasible due to circumstances necessary to accurately identify affected consumers, or to prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system, in which case the notification must be made as promptly as possible.  As in most federal proposed bills and many existing state breach notification laws, if a law enforcement agency determines that the notification would impede a civil or criminal investigation, notification must be delayed upon the written request of the law enforcement agency (in this case for 30 days or such lesser period of time which the law enforcement agency determines is reasonably necessary and requests in writing). A law enforcement agency may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request if further delay is necessary.  Similarly, if a Federal national security agency or homeland security agency determines that the notification would threaten national or homeland security, notification may be delayed for a period of time which the national security agency or homeland security agency determines is reasonably necessary and requests in writing. The agency may revoke such delay or extend the period of time set forth in the original request by a subsequent written request if further delay is necessary.

Notification must be provided in writing by mail (or email under certain circumstances).  Substitute notification is allowed if the covered entity owns or possesses data in electronic form containing personal information of fewer than 1,000 individuals and such direct notification is not feasible due to (i) excessive cost to the covered entity required to provide such notification relative to the resources of such covered entity, as determined in accordance with the regulations issued by the FTC or lack of sufficient contact information for the individual required to be notified.  Like California's SB 1386 (Civil Code section 1798.82), such substitute notification must include (i) e-mail notification to the extent that the covered entity has e-mail addresses of individuals to whom it is required to provide notification; (ii) a conspicuous notice on the website of the covered entity; and (iii) notification in print and to broadcast media, including major media in metropolitan and rural areas where the individuals whose personal information was acquired reside.

The bill requires the FTC to promulgate regulations regarding breach notification AND to provide and publish general guidance on compliance, including (i) a description of written or e-mail notification that complies with the requirements; and (ii) guidance on the content of substitute notification.

The bill grants the FTC authority to place any breach notifications it receives in a clear and conspicuous location on its website if the Commission finds that doing so would be in the public interest or for the protection of consumers.

Enforcement

The FTC and State Attorneys General may enforce the bill.
Tags: , , , , , , , , , ,
Posted on May 12, 2010 by Tanya Forsheit

Breaking Down the Boucher Bill

In early May, Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fla.) introduced a long anticipated "discussion draft" of a bill "[t]o require notice to and consent of an individual prior to the collection and disclosure of certain personal information relating to that individual."  You have probably heard that industry and consumer groups alike are not happy with the discussion draft.  What exactly is the Boucher Bill and what would it mean for almost every company engaged in the collection, use or disclosure of personal information (not just companies engaged in online behavioral advertising)?  Following is a FAQ.  Comments on the draft legislation are due June 4 (mark your calendars).

 

  • Isn't the Boucher Bill just about online behavioral advertising conducted by large marketers?

No.  The Boucher Bill is proposed federal privacy and data security legislation that is very broad and far-reaching and goes way beyond regulation of online behavioral advertising as defined by the FTC.

  • What would the Boucher Bill prohibit?

Under the Boucher Bill, a "covered entity" would be prohibited from collecting, using, or disclosing "covered information" from or about an individual for any purpose unless the covered entity (A) makes available to the individual a prescribed form of privacy notice prior to the collection of any covered information; and (B) obtains the consent of the individual to such collection in the manner set forth in the Bill.

This is interesting given that many regulators and legislators, including the FTC, have been calling for an end to the notice and consent model when it comes to meaningful privacy choice.

  • What is a "covered entity"?

The Boucher Bill broadly defines a "covered entity" as any person engaged in interstate commerce that collects data containing covered information.  A covered entity would not include a government agency or any person that collects covered information from fewer than 5,000 individuals in any 12-month period and does not collect sensitive information.  Thus, it appears that just about any organization with more than 5,000 employees and/or customers would be a "covered entity" under the Boucher Bill.

  • What is "covered information"?

The short answer is - just about anything that identifies (or even might identify) an individual.  "Covered information" is defined as, with respect to an individual, any of the following:

  1. The first name or initial and last name.
  2. A postal address.
  3. A telephone or fax number.
  4. An email address.
  5. Unique biometric data, including a fingerprint or retina scan.
  6. Social Security number, tax identification number, passport number, driver’s license number, or any other government-issued identification number.
  7. A financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.
  8. Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used
    to collect, store, or identify information about a specific individual or a computer, device, or software application owned or used by a particular user or that is otherwise associated with a particular user.
  9. A preference profile.
  10. Any other information that is collected, stored, used, or disclosed in connection with any covered information described in 1-9 above.
  • What is a "preference profile"?

A "preference profile" is a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity.

  • How would a "covered entity" collecting "covered information" provide the required notice?

The answer depends on whether the covered entity collects the information online or offline.

Online:  If a covered entity collects covered information through the Internet, the Boucher Bill requires that it must post a privacy notice clearly and conspicuously on the website through which the covered information is collected.  The privacy notice must be accessible through a direct link from the Internet homepage of the covered entity.  This is very much like California's Online Privacy Protection Act, Business and Professions Code section 22575 et seq. 

Offline:  Unlike California (or any existing state law), the Boucher Bill would require notice even where information is collected offline or by means other than the Internet.  If a covered entity collects covered information by any means that does not utilize the Internet, the Bill requires that notice be made available to an individual in writing before the covered entity collects any covered information from that individual.

  • What information must be included in the privacy notice?

The privacy notice (for online and offline collection) must include all of the following:

  1. The identity of the covered entity collecting the covered information;
  2. A description of any covered information collected by the covered entity;
  3. How the covered entity collects covered information;
  4. The specific purposes for which the covered entity collects and uses covered information;
  5. How the covered entity stores covered information.
  6. How the covered entity may merge, link, or combine covered information collected about the individual with other information about the individual that the covered entity may acquire from unaffiliated parties [an "unaffiliated party" is any entity that is not related by common ownership or affiliated by corporate control with a covered entity];
  7. How long the covered entity retains covered information in identifiable form;
  8. How the covered entity disposes of or renders anonymous covered information after the expiration of the retention period;
  9. The purposes for which covered information may be disclosed, and the categories of unaffiliated parties who may receive such information for each such purpose;
  10. The choice and means the covered entity offers individuals to limit or prohibit the collection and disclosure of covered information;
  11. The means by and the extent to which individuals may obtain access to covered information that has been collected by the covered entity;
  12. A means by which an individual may contact the covered entity with any inquiries or complaints regarding the covered entity’s handling of covered information;
  13. The process by which the covered entity notifies individuals of material changes to its privacy notice;
  14. A hyperlink to or a listing of the FTC's online consumer complaint form or the toll-free telephone number for the FTC's Consumer Response Center; and
  15. The effective date of the privacy notice.

This goes far beyond the content requirements of California's Online Privacy Protection Act.

  • Are there any exceptions to these notice requirements?

Yes. The notice requirements would not apply to covered information that (1)  is collected by any means that does not utilize the Internet and (2)  (a)  is collected for a "transactional purpose" or an "operational purpose" or (b)  consists solely of a first name or initial and last name, a postal address, a telephone or fax number, and/or an email address, and is part of a "first party transaction."

  • What is a "transactional purpose"?

A "transactional purpose" is a purpose necessary for effecting, administering, or enforcing a transaction between a covered entity and an individual.

  • What is an "operational purpose"?

An "operational purpose" is a purpose reasonably necessary for the operation of the covered entity, including (i) providing, operating, or improving a product or service used, requested, or authorized by an individual; (ii) detecting, preventing, or acting against actual or reasonably suspected threats to the covered entity’s product or service, including security attacks, unauthorized transactions, and fraud; (iii) analyzing data related to use of the product or service for purposes of optimizing or improving the covered entity’s products, services, or operations; (iv) carrying out an employment relationship with an individual; (v) disclosing covered information based on a good faith belief that such disclosure is necessary to comply with a Federal, State, or local law, rule, or other applicable legal requirement, including disclosures pursuant to a court order, subpoena, summons, or other properly executed compulsory process; and (vi) disclosing covered information to a parent company of, controlled subsidiary of, or affiliate of the covered entity, or other covered entity under common control with the covered entity where the parent, subsidiary, affiliate, or other covered entity operates under a common or substantially similar set of internal policies and procedures as the covered entity, and the policies and procedures include adherence to the covered entity’s privacy policies as set forth in its privacy notice.  However, "operational purpose" does not include the use of covered information for marketing, advertising, or sales purposes, or any use of or disclosure of covered information to an unaffiliated party for such purposes.

  • What is a "first party transaction"?

A "first party transaction" is an interaction between an entity that collects covered information when an individual visits that entity’s website or place of business and the individual from whom covered information is collected.

  • Do the consent requirements call for opt-in or opt-out consent?

It depends. 

Opt-out consent is enough in many circumstances.  Under the Bill, a covered entity is deemed to have the consent of an individual for the collection and use of covered information relating to that individual if the covered entity has provided to the individual a clear statement containing the information described above and informing the individual that he or she has the right to decline consent to such collection and use, and the individual either affirmatively grants consent for such collection and use or does not decline consent at the time such statement is presented to the individual.  (However, if an individual declines consent at any time subsequent to the initial collection of covered information, the covered entity may not collect covered information from the individual or use covered information previously collected.)  Alternatively, a covered entity may comply by enabling an individual to decline consent for the collection and use only of particular covered information, provided the individual has been given the opportunity to decline consent for the collection and use of all covered information.

However, some situations require opt-in consent:

  1. A covered entity must provide the notice described above and obtain the express affirmative consent of the individual prior to making a material change in privacy practices governing previously collected covered information from that individual or disclosing covered information for a purpose not previously disclosed to the individual and which the individual, acting reasonably under the circumstances, would not expect based on the covered entity’s prior privacy notice.  This would codify existing law that a company may not unilaterally alter its privacy policy and use previously collected data in a manner that materially differs from the terms under which the data was originally collected. See In the Matter of Gateway Learning Corp., FTC Docket No. C-4120 (Sept. 10, 2004).
     
  2. A covered entity is prohibited from selling, sharing, or otherwise disclosing covered information to an unaffiliated party without first obtaining the express affirmative consent of the individual to whom the covered information relates.  This would represent a fundamental change in existing US privacy law, except in particular narrow sectors.  Further, a covered entity that has obtained express affirmative consent from an individual must provide the individual with the opportunity, without charge, to withdraw such consent at any time thereafter.
     
  3. A covered entity is prohibited from collecting or disclosing sensitive information from or about an individual for any purpose unless the covered entity makes available to such individual the privacy notice described above prior to the collection of any sensitive information and obtains the express affirmative consent of the individual to whom the sensitive information relates prior to collecting or disclosing such sensitive information.  ["Sensitive information" is any information that is associated with covered information of an individual and relates to that individual’s (A) medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (B) race or ethnicity; (C) religious beliefs; (D) sexual orientation; (E) financial records and other financial information associated with a financial account, including balances and other financial information; or (F) precise geolocation information.]  This would also be a significant shift in US privacy law, bringing the US much closer to existing stringent privacy protections in the EU.
     
  4. A covered entity is prohibited from collecting or disclosing covered information about all or substantially all of an individual’s online activity, including across websites, for any purpose unless such covered entity makes available to such individual the privacy notice described above prior to the collection of the covered information about all or substantially all of the individual’s online activity and obtains the express affirmative consent of the individual to whom the covered information relates prior to collecting or disclosing such covered information.
     
  5. With certain limited exceptions, any provider of a product or service that uses location-based information would be prohibited from disclosing such location based information concerning the user of such product or service without that user’s express opt-in consent.
  • Are there any exceptions from these consent requirements?

Yes, but only with respect to the opt-out consent requirements and the opt-in consent requirements under (1) and (2) above.  There are no exceptions to the opt-in requirements under (3), (4) and (5) above.

The opt-out requirements and the Gateway-type opt-in requirements described in (1) above do not apply to the collection, use, or disclosure of covered information for a transactional purpose or an operational purpose.

The opt-in requirements described in (2) above do not apply to the disclosure of covered information by a covered entity to a service provider for purposes of executing a first party transaction if (A) the covered entity has obtained consent for the collection of covered information (opt-out and/or Gateway-type opt-in consent described above); and (B) the service provider agrees to use such covered information solely for the purpose of providing an agreed-upon service to a covered entity and not to disclose the covered information to any other person.   [A "service provider" is an entity that collects, maintains, processes, stores, or otherwise handles covered information on behalf of a covered entity, including, for the purposes of serving as a data processing center, providing customer support, serving advertisements to the website of the covered entity, maintaining the covered entity’s records, or performing other administrative support functions for the covered entity.]

In addition, notwithstanding (2) above, a covered entity may collect, use, and disclose covered information if (1) the covered entity provides individuals with the ability to opt out of the collection, use, and disclosure of covered information by the covered entity using a readily accessible opt-out mechanism whereby the opt-out choice of the individual is preserved and protected from incidental or accidental deletion, including by (A) website interactions on the covered entity’s website or a website where the preference profile is being used; (B) a toll-free phone number; or (C) letter to an address provided by the covered entity; (2) the covered entity deletes or renders anonymous any covered information not later than 24 months after the date the covered information is first collected; (3) the covered entity includes the placement of a symbol or seal in a prominent location on the website of the covered entity and on or near any advertisements delivered by the covered entity based on the preference profile of an individual that enables an individual to connect to additional information that (A) describes the practices used by the covered entity or by an advertisement network in which the covered entity participates to create a preference profile and that led to the delivery of the advertisement using an individual’s preference profile, including the information, categories of information, or list of preferences associated with the individual that may have led to the delivery of the advertisement to that individual; and (B) allows individuals to review and modify, or completely opt out of having, a preference profile created and maintained by a covered entity or by an advertisement network in which the covered entity participates; and (4) an advertisement network to which a covered entity discloses covered information does not disclose such covered information to any other entity without the express affirmative consent of the individual to whom the covered information relates.  [An "advertisement network" is an entity that provides advertisements to participating websites on the basis of individuals’ activity across some or all of those websites.]

  • Are there any other exemptions under the Bill?

Yes.  The Bill explicitly provides that nothing therein shall prohibit a covered entity from collecting or disclosing aggregate information or covered information that has been rendered anonymous.

  • What is "aggregate information"?

"Aggregate information" is data that relates to a group or category of services or individuals, from which all information identifying an individual has been removed.

  • What does "render anonymous" mean?

"Render anonymous" means to remove or obscure covered information such that the remaining information does not identify, and there is no reasonable basis to believe that the information can be used to identify the specific individual to whom such covered information relates or a computer or device owned or used by a particular user.

  • Does the Boucher Bill include any data security requirements?

Yes.  A covered entity or service provider that collects covered information about an individual for any purpose must establish, implement, and maintain appropriate administrative, technical, and physical safeguards that the FTC determines are necessary to (A) ensure the security, integrity, and confidentiality of such information; (B) protect against anticipated threats or hazards to the security or integrity of such information; (C) protect against unauthorized access to and loss, misuse, alteration, or destruction of, such information; and (D) in the event of a security breach, determine the scope of the breach, make every reasonable attempt to prevent further unauthorized access to the affected covered information, and restore reasonable integrity to the affected covered information.  The Bill would therefore extend certain GLBA- and HIPAA-like protections to non-financial and non-health care sectors.

The Bill anticipates that the FTC will develop standards to carry out this section and, in doing so, will consider the size and complexity of a covered entity, the nature and scope of the activities of a covered entity, the sensitivity of the covered information, the current state of the art in administrative, technical, and physical safeguards for protecting information, and the cost of implementing such safeguards. 

The Bill prohibits the FTC, in promulgating rules pursuant to the Bill, from requiring the deployment or use of any specific products or technologies, including any specific computer software or hardware. Thus, the Bill seeks to make any security requirements technology-neutral (similar to the Massachusetts data security regulations and other state data security laws).

  • Does the Boucher Bill say anything about data integrity?

Not exactly.  The Boucher Bill addresses data "accuracy," requiring in very general terms that a covered entity "establish reasonable procedures to assure the accuracy of the covered information it collects."

  • Who would enforce the Boucher Bill?

Not surprisingly, the Bill gives the FTC enforcement power and would make a violation an unfair and deceptive act or practice in violation of the FTC Act.

The Boucher Bill also gives State attorneys general the power to bring a civil action seeking injunctive relief and/or damages.

The Bill explicitly states that it does not provide any private right of action.

  • Would the Boucher Bill preempt state law?

Yes, the Bill would preempt many state laws.  The Bill would supersede any provision of a statute, regulation, or rule of a State or political subdivision of a State, that includes requirements for the collection, use, or disclosure of covered information. 

The Bill would have no effect on GLBA, HIPAA, COPPA, the CAN-SPAM Act, certain other federal laws, or the FTC's authority pursuant to other laws.

 

 
Tags: , , , , , , , , , , , ,