For quite some time it has been unlikely that the United States would have a federal comprehensive privacy law. That could be about to change. The federal legislature is coming closer than ever to agreeing on a comprehensive federal privacy law. In the past the two main holdups were disagreement over whether such a law would preempt the growing patchwork of state privacy laws, and whether individuals would have a private right of action. The compromise seems to be that there would generally be preemption (with a number of exceptions, such as state education and healthcare privacy laws, general consumer protection laws), and individuals would have a private right of action in certain circumstances.
The definition of “covered data” is very broad: “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals”. The term “covered data” does not include (i) de-identified data; (ii) employee information; (iii) publicly available information; and (iv) inferences made exclusively from multiple independent sources of publicly available information, provided that certain criteria are met.
The proposed law would apply to covered entities, meaning, any entity (i.e., an individual, trust, partnership, association, organization, company, or corporation) that, alone or jointly with others, determines the purposes and means of collecting, processing, retaining, or transferring covered data and satisfies one of the following criteria:
(I) is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.) – which applies to activities affecting interstate or intercountry commerce; or
(II) is a common carrier subject to title II of the Communications Act of 22 1934 (47 U.S.C. 201–231) as currently enacted or subsequently amended; or
(III) is an organization not organized to carry on business for their own profit or that of their members (although there is an exclusion for nonprofit organizations whose primary mission is to prevent, investigate, or deter fraud or to train anti-fraud professionals or educate the public about fraud, including insurance fraud, securities fraud, and financial fraud to the extent the organization collects, processes, retains, or transfers covered data in furtherance of such primary mission – but they still must comply with the requirements of the proposed law data relating to security and protection of covered data);
The definition also includes any entity that controls, is controlled by, is under common control with, or shares common branding with another covered entity.
Among other exclusions is one for “small businesses”. The proposed law defines a small business as an entity (including any affiliate of the entity) that meets the following criteria:
- has average annual gross revenues for the period of the 3 preceding calendar years (or for the period during which the covered entity has been in existence if such period is less than 3 years) that did not exceed $40,000,000;
- on average, did not annually collect, process, retain, or transfer the covered data of more than 200,000 individuals for any purpose other than initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product, so long as all covered data for such purpose was deleted or de-identified within 90 days, except when necessary to investigate fraud or as consistent with a covered entity’s return or warranty policy; and
- did not transfer covered data to a third party in exchange for revenue or anything of value.
As far as the small business exclusion is concerned, while revenues of $40 million over a three year period might be a stretch for some organizations, there still will be many that meet that threshold. Collecting/processing the covered data of at least 200,000 individuals per year also might seem unlikely to a lot of organizations, but covered data includes IP addresses, device and browser identifiers from website visitors, covered data of individuals subscribing to publications, participating in chats, blogs, etc., so it is not as unlikely as one might think, especially if organizations are not deleting or re-identifying the payment related covered data within the required 90 day period as required under the second criterion of the small business exclusion. Furthermore, many service provider agreements allow the service providers to use the covered data they obtain for their own purposes as well (e.g., digital marketers), which potentially could be considered an exchange of covered data to the service provider for something of value (i.e., the service rendered to the customer). California law adopts this broad view of exchange for value. A narrower view would require monetary consideration, but the proposed law says “revenue or anything of value”.