On December 12, 2018, Senator Schatz (D-HI), along with 15 other Senators, introduced the Data Care Act of 2018 “to establish duties for online service providers with respect to end user data that such providers collect and use.”
The bill would require online service providers (“OSPs”)—defined as entities (1) “engaged in interstate commerce over the [I]nternet or any other digital network” and (2) that collect individual identifying information (“IID”) about end users in the course of or incidental to the course of business—to exercise the duties of care, loyalty, and confidentiality with respect to that information. If the bill becomes law, it will apply 180 days after the date of enactment.
The bill’s definition of IID is limited to information that is collected over the Internet or any other digital network and is information that can be “linked” or is “linkable” to an end user or device that is “associated with or routinely used by an end user.” The bill does not define “linkable”; however, to the extent the GDPR’s definition of “identifiable” in the context of personal data can be a guide, “linkable” is likely to have a broad reach. Under the GDPR, information is identifiable when it can be combined with other pieces of information in order to determine the identity of an individual, but a hypothetical possibility of identification is not sufficient; it must be reasonably likely in light of considerations such as time, cost, and technology.
The duties under the bill are as follows:
The Duty of Care
- OSPs must:
- reasonably secure IID from unauthorized access
- promptly notify end users of any breach of sensitive data; the FTC, subject to defined exceptions and considerations, has the power to promulgate rules for breach notification with respect to categories of IID other than sensitive data
The Duty of Loyalty
- OSPs cannot use IID in a manner that:
- benefits the OSP to the detriment of an end user
- will result in reasonably foreseeable physical or financial harm to the end user
- would be unexpected or highly offensive to a reasonable end user
They Duty of Confidentiality
- OSPs cannot disclose, sell, or share IID with any other person:
- except as consistent with the duties of care and loyalty
- unless that person enters into an agreement with the OSP that imposes the same duties of care, loyalty, and confidentiality owed to the end user by the OSP
- Must ensure any person to whom IID is disclosed, sold, or shared abides by the duties of care, loyalty, and confidentiality by, including but not limited to, regularly auditing that person’s data security and information practices
The bill gives the FTC enforcement and rulemaking authority and the ability to impose penalties, which will be an amount not to exceed the penalties permitted by 15 U.S.C. 45 (m)(1)(A) ($10,000) multiplied by the greater of (1) the number of days of non-compliance or (2) the number of end users harmed. The bill also allows for enforcement by state attorneys general.
Notably, and as was clearly favored by the Commissioners during the Senate subcommittee hearing on FTC Oversight on November 27, 2018, the bill also gives the FTC jurisdiction over non-profits and common carriers subject to the Communications Act of 1934