Thank you, reader, for taking time out of your day to read this blog post. I trust before clicking on this link you first sought out our website's Privacy Policy and reviewed it in full, took mental notes while silently nodding throughout, and finished with an audible "I agree" before moving on to review this content. Correct?

Very likely you did not, but take solace in knowing you are in good company. Only 22% of Americans report "often" or "always" reading online privacy policies, and that's solely for websites which require browsers to affirmatively agree to a privacy policy (i.e., flashing a pop-up with some form of "check the box" affirmation). This does not engender much confidence that Americans are actively seeking out and consenting to the privacy policies embedded within the myriad of websites they visit on a daily basis. And who can blame them – a 2008 study estimated it would take 244 hours each year to read every privacy policy in full for all the websites an average web browser visited annually. So put down your summer beach novel and start reading privacy policies – you're already 10 weeks behind.

All kidding aside, this is a real problem for the United States' federal data privacy legal framework, which is guided in part upon the Federal Trade Commission's Fair Information Practice Principles. Notably, those include (i) consumer notice and awareness ("Consumers should be given notice of an entity's information practices before any personal information is collected from them"), and (ii) consumer choice and consent ("In order to be effective, any choice regime should provide a simple and easily-accessible way for consumers to exercise their choice"). If the vast majority of websites utilize privacy policies which consumers are willfully ignoring or otherwise failing to recognize the existence of, much less comprehending their contents, how can one reasonably claim consumers are "on notice and aware" of privacy policies and exercising real "choice and consent" to the management of their personal data?

The foregoing acknowledgement is key to understanding the structural framework of U.S. Sen. Sherrod Brown's (D-Ohio) Data Accountability and Transparency Act of 2020 (DATA 2020), recently introduced in discussion draft form. Unlike the host of data privacy and security bills currently circulating the Senate, most of which generally seek to modify or enhance consumer's rights to enforce their own rights against malfeasant data processors, Sen. Brown's bill reflects a drastic shift of the "notice, awareness, choice, consent" burden away from consumers entirely and onto the data processors themselves. Rather than maintaining the permissive data privacy legal framework which allows data processors to manage consumer personal data largely as they see fit, so long as they disclose their intentions in a lengthy privacy policy (which, as we've established, the vast majority of their consumers will never actually read), Sen. Brown instead suggests a restrictive legal framework that will dictate, by statute, when and how data processors may use consumer's personal data, and to what extent.

Some notable items from the DATA 2020 draft bill include:

  • Requirement to show "permissible purpose": in all cases, data processors will be required to show a "permissible purpose" to process a consumer's personal data, and such "permissible purpose" is broken down into 12 categorical use cases.
  • Broadly-defined "unlawful data practices": while a number of federal statutes narrowly define particular data practices which are illegal (e.g., wrongful disclosure of PHI under HIPAA), DATA 2020 favors wholesale prohibitions on certain data usage practices, including (i) use of facial recognition technology, (ii) commingling of personal data from multiple platforms or business lines, and (iii) re-identification of anonymized data (subject to certain exceptions).
  • Establishment of "Data Accountability and Transparency Agency": a new Executive branch independent agency, empowered with rulemaking authority, would be formed to enforce the requirements proscribed in DATA 2020.

To be clear, the chances of DATA 2020 passing in this Congress are slim-to-none. However, its language appears to be instructive in possibly signaling policy priorities for a key segment of the Democratic Party, and should be read as another step forward in the 10+ year march towards all-encompassing federal data privacy and security legislation. If the Senate majority changes hands in November, we could see traction on this bill (or a similar bill adopting some/all of its key tenants) rather quickly.

Noting the above, what should your company do in the immediate future to ensure you're prepared for what is coming? We recommend the following:

  1. Review your current Privacy Policy in detail. With a keen eye, read your current privacy policy. Are each of the representations your business makes currently true? Are you strictly complying with each of the covenants set forth in your policy? If necessary, update your privacy policy to reflect current-state practices and revise or remove anything that isn't completely accurate.
  2. Analyze the necessity of each item of personal data you currently collect. Are there certain items of personal data that you are collecting from your customers "just because?" While U.S. law currently does not require you to identify a "permissible purpose" for every item of personal data collected that may well be the case in the not-so-distant future. It's worth narrowing the population of personal data you collect from your customers so that you can defend those practices under any legal framework to come.
  3. Stay informed of future legislation. While we cannot predict the future of federal data privacy and security legislation, we can (and will) provide timely analysis of any future legislative and rulemaking updates that may affect your company. We invite you to bookmark Taft's Privacy & Data Security Insights page and refer to it often.

As always, should you have any questions or want to discuss a go-forward strategy for your privacy policy, please reach out to an attorneys in Taft's Privacy and Data Security Practice.

Originally published August 5, 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.