FAQ on the "BEST PRACTICES Act" - Part Two

We recently published the first part of our FAQ series on Congressman Bobby Rush's new data privacy bill known as “Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act (a.k.a. “BEST PRACTICES Act” or “Act”). In Part One we looked at some of the key definitions and requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two will focus on the “Safe Harbor” outlined in the Act, various exemptions for de-identified information, and application and enforcement of the Act.

What is the “Safe Harbor and Self-Regulatory Choice Program” that is referenced in the Act?

This appears to be a novel new mechanism that allows covered entities to avoid certain obligations under the Act if they fall into a “safe harbor” that is based on a self regulatory program (known as a “Choice Program”). In particular, covered entities that satisfy certain Choice Program requirements shall not be subject to:

• the express affirmative consent obligations in 104(a);

• the requirements of access to information under section 202(b) of the Act; or

• liability in a private right of action brought under section 604 of the Act (discussed below)

Avoidance of the Act’s private right of action is especially significant in this context.

How does the “Choice Program” work?

It appears that people or entities (it does not appear to be limited to covered entities) can submit an application to the FTC for approval of a self-regulatory program (a.k.a Choice Program). The FTC can approve one or more of these programs. The FTC must either initially approve or deny a Choice Program within 270 days after the submission of the application. Modifications may be made to a Choice Program that was initially approved, and such modification must be approved or denied by the FTC within 120 days. Applicants have the right to appeal the FTC’s decision or failure to act within the 270 period to a U.S. District Court.

The FTC will only approve a Choice Program (or amendments) after notice and comments, and only if it satisfies the requirements of section 403 of the Act. If approved, a Choice Program remains approved for 5 years.

This section is very interesting as it appear to allow for some regulatory flexibility and recognizes the limitations of a one-sized-fits-all approach. Ostensibly certain industry segments could develop a Choice Program that more close fits their business model/industry (while of course still providing the protection and choice the Act seeks to impose).

What are the requirements of a Choice Program under section 403 of the Act?

In order to be approved a Choice Program must meet certain criteria. The Choice Program must provide individuals with:

• a clear and conspicuous opt-out mechanism that, when selected by the individual prohibits all covered entities participating in the Choice Program from disclosing covered information to a third party for one or more specified uses, and may offer individuals a preference tool to enable individuals to make more detailed choices about the transfer of covered information to a third party; and

• a clear an conspicuous mechanism to set communication preferences, online behavioral advertising preferences and other relevant preference options, and these preference would have to be followed by all covered entities in the Choice Program.

I almost think of this as a sort of “do not call list” type of mechanism. If a group of covered entity can agree to provide individuals with a set of choices, the individual does not have to constantly make a choice over and over again whenever engaging in particular transactions. While this is a little vague in terms of its mechanics and scope, it is very interesting and could provide meaningful trade-offs between business and individuals seeking to protect their privacy and more efficiently control their information.

In addition, a Choice Program will be approved by the FTC only if it establishes:

• Guidelines and procedures requiring participants to provide equivalent or greater protection for individuals and their covered information as set forth in titles I and II of the Act;

• Procedures for reviewing applications by covered entities to participate in the Choice Program (this appears to require an application and approval process, but it is not clear who would administer that process)

• Procedures for periodic assessment of the Choice Program’s procedures

• Periodic compliance testing of covered entities participating in the Choice Program; and

• Consequences for failure to comply with program requirements (e.g. public notice, suspension, expulsion or referral to the FTC)

Again, this provision is extremely interesting. It would appear to require some sort of private regulatory body be set up around the Choice Program (e.g. like the PCI Council for the PCI Standard), as well as a funding mechanism. Note that under section 404 of the Act, the FTC is charged with implementing regulations to provide further details as to how this safe harbor system is to work.

Are there any types of information or activities exempted from regulation by the Act?

Yes, section 501 of the Act sets forth some general exclusions. The Act does not prohibit a covered entity from collecting, using or disclosing:

• Aggregate information (see 501(a)(1)), which means data that relates to a group or category of services or individuals, from which all information identifying an individual has been removed; or

• Covered information or sensitive information from which identifying information has been removed or obscured using reasonable/appropriate methods such that there is no reasonable basis to believe that the information can be used to identify the specific individual to which it relates or the computer or device owned or used by a specific individual (see 501(a)(2)).

May covered entities disclose aggregate information or information stripped of identifying information (as referenced in section 501(a)(1) and (2)) to third parties?

Yes, under section 502 information in that format may be disclosed to a third party, but the covered entity is required to take reasonable steps to protect that information. The Act provides two examples of “reasonable steps to protect,” including:

• refraining from disclosing to the third party the algorithm or other mechanism used to obscure or remove the identifying information, and obtaining; and

• obtaining satisfactory written assurances from the third party that it will not attempt to reconstruct the identifying information.

Does the Act prohibit any uses of covered/sensitive information stripped of identifying information (as referenced in section 501(a)(2))?

Yes, under section 501(c), if a covered entity claims the exemption for de-identified information under section 501(a)(2), it is unlawful for any person to reconstruct or reveal the identifying information that has been removed or obscured from information stripped of identifying information (as referenced in section 501(a)(2)). In short, the Act makes it illegal for third parties that receive de-identified covered/sensitive information to re-identify it. However, the Act also requires the FTC to promulgate regulations to establish exemptions from this rule.

How does the Act relate/interact with other Federal privacy laws?

Section 502 of the Act indicates that, unless expressly provided for in the Act, the Act shall not have any effect on activities already covered under other Federal laws, including GLBA, FCRA, HIPAA, certain parts of the Social Security Act, COPPA, certain sections of the Communications Act of 1934, CAN-SPAM Act, ECPA, and the Video Privacy Protection Act. On the one hand, this provision may be helpful for limiting the scope of the Act’s application to some entities, especially those that only deal with particular types of personal information. However, since the Act does not override other Federal requirements, entities that deal with different types of personal information in different contexts, may find themselves with the need to address multiple regulatory regimes for different parts of their organization or with respect to different business practices.

How is the Act to be enforced by government agencies?

Under section 602, the Act may be enforced in two different ways by the government. First, the Act grants the FTC the authority to enforce the Act under section 18(a)(1)(B) of the FTC Act. The Act indicates that any violation of titles I – III of the Act shall be considered an unfair and deceptive act or practice under the FTC Act. The penalties, privileges and immunities of the FTC Act shall apply as well.

Second, under section 603, the Act may also be enforced by the states. In particular, if a State AG or an official or agency of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by a violation of the Act, they may bring a civil action on behalf of those residents. However, no AG or state official/agency may bring an action under section 604 if they are also bringing an action under the laws of any relevant State. The civil action may seek to enjoin further violation of the Act, compel compliance with the Act or impose civil penalties as described in the Act. The Act describes the various civil penalties that are available for violations of particular sections of the Act. In general penalties may be available for every day that a covered entity is not in compliance with the act, up to $11,000 per day. These penalties, however, are capped at $5 million for a related series of violations under title I of the Act, and $5 million for any related series of violations under titles II and III of the Act.

Does the Act provide a privacy right of action?

Yes, section 604 of the Act provides a private right of action for certain violations. In particular, covered entities that willfully violate sections 103 or 104 of the Act may be liable to affected individuals. However, no individual may bring an action under section 604 if they are also bringing an action under the laws of any relevant State. Section 604 provides that affected individuals may recover the following amounts for such a willful violation:

•  the greater of actual damages of not less than $100 and not more than $1000;

•  punitive damages;  and

• in the case of a successful action under this section, the costs of the action together with reasonable attorney fees.

Individuals have two years from their discovery of a violation (or reasonable opportunity to discover) to bring a civil action under section 604.

Does the Act preempt similar State laws?

The Act would preempt any State law with respect to covered entities that “expressly requires covered entities to implement requirements with respect to the collection, use or disclosure of covered information address in the Act. However, the Act specifically would not preempt any of the following State laws:

• State laws that address the collection, use or disclosure of health information or financial information

• State breach notice laws

• State trespass, contract or tort law; or

• Other State laws to the extent that those laws related to acts of fraud.

When would the Act come into effect if passed into law?

The Act, if passed, will take effect 2 years after the date it is enacted. However the FTC has the option to stay enforcement of the Act in order for the FTC to establish the parameters of the Choice Program under title IV.