On April 23, 2018, Senators Klobuchar (D-Minn.) and Kennedy (R-La.) introduced the Social Media Privacy Protection and Consumer Rights Act of 2018 (“the Act”), which was referred to the Senate Commerce Committee. Like the CONSENT Act introduced by Senators Markey (D-Mass.) and Blumenthal (D-Conn.)—discussed in detail in our recent client alert, The CONSENT Act and Renewed Congressional Data Privacy Interest—the Act would, if enacted, enhance the Federal Trade Commission’s (“FTC”) authority to enforce new privacy and data breach notification obligations against companies operating online. This bipartisan proposal underscores the trend of increased Congressional interest in data privacy legislation.
- Scope. The Act would apply to “online platforms”—broadly defined to include public-facing websites or applications, as well as social networks, ad networks, search engines, email services, mobile operating systems, and Internet access services—that collect personal data from users. The Act defines “personal data” to include physical addresses, email addresses, telephone numbers, government identifiers, geolocation information, the content of messages, and protected health and financial information as defined in the HIPAA privacy rule and Gramm-Leach-Bliley Act respectively.
- Transparency and Choice. The Act would require a covered online platform to disclose its practices regarding the collection and use of personal data, including information about who can access users’ personal data and how that data is used. In addition, an online platform must provide new users with an opportunity to opt-out from its default data collection and use practices and obtain affirmative opt-in consent from existing users before introducing new products or making material changes to that user’s existing privacy preferences. Online platforms must also ensure that users can withdraw their consent to data collection and use practices at any time. To the extent a service is inoperable without the collection or use of a user’s personal data, an online platform may deny services or access to users who do not consent to the necessary data practices.
- Breach Notification. The Act would require covered online platforms to provide notice to affected users within 72 hours after becoming aware that personal data has been transmitted in a manner contrary to the privacy preferences specified by the user. This notification threshold applies whether or not the transmission of personal data creates a reasonable risk of harm to the affected user.
- Additional Obligations. The Act would require covered online platforms to make a user’s personal data inaccessible within 30 days of that user closing his or her account or otherwise terminating his or her use of the service and to furnish users with a copy of the personal data retained by the online platform, including a list of third-parties to whom that personal data has been disclosed.
- FTC Enforcement Authority. While the Act would not give the FTC rulemaking authority, it would treat violations of its substantive provisions as violations of “a rule defining an unfair or deceptive act or practice,” thereby providing the FTC with authority to impose civil penalties pursuant to 15 U.S.C. § 45(m).
- Preemption. The Act would authorize state attorneys general to bring cases for violations of its provisions on behalf of consumers in federal court and would not preempt state enforcement of existing privacy and breach notification statutes, thereby adding to the patchwork of various overlapping state and federal cybersecurity and data privacy regimes, without harmonizing them.
We will continue to monitor the Social Media Privacy Protection and Consumer Rights Act and other legislative proposals, and will provide updates here at the Davis Polk Cyber Blog as they progress.