FAQ on the "BEST PRACTICES Act" - Part One

Congressman Bobby Rush has introduced a new data privacy bill to Congress known as the “Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act (a.k.a. “BEST PRACTICES Act” or “Act”). Congressman Rush has been active in the data security/privacy legislation space. In December of 2009, his “Data Accountability and Trust Act” or (“DATA Act”) passed the House of Representatives. While DATA focused more on data security and breach notice, the stated focus of the BEST PRACTICES Act is as follows:

To foster transparency about the transparency about the commercial use of personal
information, provide consumers with meaningful choice about the collection, use, and disclosure of such information, and for other purposes.

This Act comes on the heels of the Boucher Bill, which also represents a comprehensive data privacy approach (for more information on the reactions to the Boucher Bill you can look here and here).

We have put together a summary of the Act in “FAQ” format. In Part One we look at some of the key definitions, requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two focuses on the “Safe Harbor” outlined in the Act, various exemptions for deidentified information, and provisions concerning the application and enforcement of the Act.  Final note, this is not a law, but rather only a bill -- if passed at all, it is likely that the final version will vary from this initial proposal.

What kinds of entities does the Act apply to?

The Act defines “covered entities” to mean any person engaged in interstate commerce that collects or stores data containing covered information or sensitive information.  However, section 601 of the Act limits the application of the Act to only those persons over which the Commission has authority pursuant to section 5(a)(2) of the FTC Act (Note:  this section previously indicated that the Act applied to all persons engaged in interstate commerce [which is in the definition of covered entity]; the error was noted by a reader and the correction made here). Covered entities do not include any divisions of Federal or state government or some entities that meet specified criteria (e.g. store less than 15,000 records; collect less than 12,000 records in a year, etc.; see definition of “covered entity” for more detail).

Observations:  Significantly, it does not appear that the definition of covered entity makes the traditional distinction between data owner/controller and service provider/processor. As such, service providers may be directly subject to the Act as a result of collection or storage of covered/sensitive information on behalf of their customers.

What kinds of information does the Act regulate?

The Act regulates “covered information” and “sensitive information.”

“Covered information” includes such information elements as first name or initial and last name, postal address, email address, telephone/fax number, government issued identification numbers (e.g. tax ID, driver’s license number, etc.), financial account numbers, credit/debit card number, access codes/passwords, “unique persistent identifiers” used to collect, store or identify information about a specific individual or create a profile (e.g. customer numbers, IP addresses, unique pseudonym), and any information collected, stored, used or disclosed in connection with the foregoing information. Section (B) of the definition also lists a number of important exclusions concerning certain business-related information.

“Sensitive information” means information associated with covered information of an individual that relates directly to the individual’s medical history or health, race or ethnicity, religious beliefs/affiliations, sexual orientation/behavior, financial information (income, assets, liabilities, etc.), a person’s geolocation information, unique biometric information or social security number.

Observations: The definitions of information regulated under the Act go well beyond any U.S. definition of personally identifiable information. For example, the “traditional” definition of PII normally requires first name and last name combined with additional information such as financial account numbers. The definition of “covered information” in the Act does not require such a combination – each data element stands on its own and may not need to be tied to or identify a specific person. If I, as an individual, had an email address that was wildwolf432@hotmail.com, that would would appear to satisfy the definition of covered information even if my name was not associated with it.

The definition of “sensitive information” echos similar definitions under the EU Data Protection Directive and other laws based on an EU Model. Interestingly, however, it also specifically includes geolocation information (which some believe may become a larger privacy issue with the prevalence of mobile computing and smartphones).

How does the Act promote transparency about the commercial use of information?

Section 101 of the Act purports to promote transparency by requiring covered entities to provide certain information about the covered entity’s information practices and the individual’s options with respect to such practices, including:

• the identity of the covered entity

• description of covered/sensitive information collected or stored by covered entity

• the specific purposes for which the covered entity collects and used the covered information, including how the covered entity customizes products/services/prices based on such information

• the specific purposes for which covered/sensitive information may be disclosed to third parties and the categories of third parties who may receive such information the choice and means for limiting the collection, use and disclosure of covered/sensitive information

• a description of the information any individual may request access to and the means for making such a request

• how the covered entity may merge, link or combine covered/sensitive information

• the retention schedule for covered/sensitive information including whether the entity will retain information permanently

• whether the individual can direct the deletion of information collected from or about the individual

• a reasonable means for individuals to contact the covered entities regarding their handing of covered/sensitive information

• the process by which the covered entity notifies individuals of material changes to its practices or policies

• a hyperlink to the FTC Commissioner’s online consumer complaint form or the FTC’s toll-free number for the Commissions Consumer Response Center

• the effective date of the privacy notice.

Observations: While much of the notice requirements of the Act parallel the Fair Information Privacy Principles, one could argue that the Act also includes notice elements that appear to go beyond such principles. These additional elements also appear to address current issues that some believe may pose privacy problems. For example, it is interesting that notice is required concerning where/how information will be merged or combined with other data. The retention schedule requirement is also interesting as it may address concerns that some have about some companies retaining data too long.

How must the notice required under the Act be provided?

Under section 102 of the Act, the notices described in the prior FAQ must be “concise, meaningful, timely, prominent, and easy-to-understand” in accordance with FTC regulations authorized under the Act that will be published later. Notices must be retained for six years from the later of the date the notice was issued or the date it was last in effect.

Is notice required for “in-person transactions”?

Under section 103 of the Act, it appears that the notice and information referenced above is not necessary for “in-person transactions” but only if the covered information is collected for an “operational purpose” (e.g.for the purpose of providing goods or services, managing operations, compliance with legal obligations or protection against risks and threats ) or if the covered entity is only collecting name, address, email or phone/fax and does not share the information or use that information to acquire additional information about the individual from third parties.

Observations:  Notably, the Act does not indicate that covered information needs to be collected solely for operational purposes. Based on the current wording, one could argue that if covered information was covered for both operational purposes and marketing purposes, it could fall under the “operational purposes” exception.

Are covered entities required to get consent from individuals for the collection and use of covered information?

Yes, under section 103 of the Act covered entities must provide “opt-out” consent in order to collect or use covered information (except for the collection or use of covered information for operational purposes). The Act indicates that a covered entity shall be considered to have obtained proper consent if it has provided the notice required under the Act, provides a reasonable means to exercise an opt-out right and decline consent; and the individual either affirmatively grants consent or does not decline consent.

The consent shall be considered permanent unless directed by the individual. However, the covered entity must provide an individual with a reasonable means to decline or revoke previously granted consent at any time.

A covered entity may also provide individuals with the ability to decline consent for specific uses of his or her personal information, but only if the individual has been given an opportunity to broadly opt-out of all collection and use of covered information.

May covered entities collection or use covered information as a condition of an individual’s receipt of a service or other benefit?

Yes, but only if: the covered entity has a direct relationship with the individual; the information is not shared with any third party without the express affirmative consent of the individual; the covered entity provides a clear, prominent and specific statement of the specific purposes for which covered information will be used; the individual provides consent by acknowledging such uses; and the individual is able to later withdraw consent.

Are covered entities required to get consent from individuals for the disclosure of covered information to third parties?

Yes. In general, a covered entity may not disclose information to a third party unless it has received express affirmative consent from the individual prior to disclosure. However, some exceptions apply.  For example, no such consent is necessary for joint marketing activities as long as the covered entity has entered into a contract with the third party that prohibits the disclosure of the information except as necessary to carry out the joint marketing relationship.

Are covered entities required to get consent from individuals for the collection, use or disclosure of sensitive information?

Yes. In general, under section 104 of the Act, a covered entity may not collect, use or disclose sensitive information to a third party unless it has received express affirmative consent from the individual.

Does the Act put any limitations or restrictions on behavioral advertising or tracking an individual’s Internet browsing activities?

Yes. Under section 104 of the Act, covered entities may not use software or hardware to monitor all or substantially all (a.k.a. “comprehensive online data collection”) of an individual’s browsing activity (or other significant Internet or computer activity), and may not collect, use or disclose information concerning that activity unless certain conditions are met.

Covered entities may engage in comprehensive online data collection if: they receive the express written consent of the individual or for the purpose of making such information accessible to the individual for the use by the individual.

Are there any exceptions to the consent requirements of the Act?

Yes, exceptions exist under section 106 of the Act.

Covered entities may disclose information to a service provider as long as it has obtained the initial consent to collect information and contractually prohibits the service provider from disclosing the information other than for purposes of carrying out the purpose for which the information was disclosed. However, the Act indicates that the covered entity remains responsible and liable for the protection of the information transferred to a service provider for processing.

Consent is also not required for collection, use or disclosure necessary for fraud detection, imminent danger or compliance with law.

In addition, consent under the Act is not necessary for the collection, use or disclosure of publicly available information. However, even publicly available information cannot be used by a covered entity for marketing purposes if the individual has opted out of such use.

Do covered entities have any obligation concerning the accuracy of information they collect, assemble or maintain?

Yes, section 201 of the Act requires covered entities to establish reasonable procedures to assure the accuracy of covered information or sensitive information they collect, assemble or maintain. This duty may be further fleshed out as section 201 requires the FTC to promulgate regulations to implement this section. Limited exceptions exist with respect to fraud databases and publicly available information.

Does the Act require the covered entity to provide individuals with access to covered information or sensitive information?

Yes, under section 202, covered entities are required to provide access to such information if such information may be used for purposes that could result in an adverse decision against the individual, including the denial of a right, benefit, or privilege. If the information could not reasonably result in an adverse decision, the covered entity is only required to provide a notice to the individual of the type of information the covered entity typically collects.

In addition, covered entities, upon request, must provide individuals with access to their personal files, but only if the entity stores such file in a manner that makes it accessible in the normal course of business.

However, none of the foregoing obligations apply to information retained for under 30 days.

Is there any time frame by which a covered entity must respond to a permitted access, correction or amendment request?

Yes, in general, under section 202(f), covered entities have thirty days from the receipt of such request to respond.

Does the Act impose any data security requirements with respect to covered information or sensitive information?

Yes, under section 302 of the Act each covered entity and service provider must establish, implement and maintain “reasonable and appropriate” administrative, technical and physical safeguards to:

• ensure the security, integrity, and confidentiality of the covered information or sensitive information it collects, assembles, or maintains

• protect against any anticipated threats, reasonably foreseeable vulnerabilities, or hazards to the security or integrity of such information; and

• protect against unauthorized access to or use of such information and loss, misuse, alteration, or destruction of such information.

The Act requires the FTC to promulgate regulations to implement this section.

Does the Act require covered entities to conduct any risk assessment with respect to its information handling practices?

Yes, under section 302 of the Act covered entities are required to conduct an assessment of the risks to individuals raised by its collection, use and disclosure of covered information or sensitive information prior to engaging in such activities (or if it believes there is a reasonable likelihood that it will engage in such activities), but only if such activities will involve more than 1 million individuals.

Does the Act require any audits or assessments?

Yes, covered entities must conduct periodic assessments to evaluate whether the covered/sensitive information it has collected remains necessary for the purposes described at the time of collection, and whether the covered entities’ ongoing collection practices remain necessary for legitimate business purposes.

Does the Act limit how long a covered entity can retain covered/sensitive information?

Yes, under section 303 of the Act covered entities may retain covered/sensitive information for only as long as necessary to fulfill a legitimate business purpose or comply with a legal requirement.

Coming up next in Part Two:  the “Safe Harbor” outlined in the Act, various exemptions for de-identified information and application and enforcement of the Act.