Privacy Legislation Update: The Three Corners Bill and the Cantwell Bill | Wilson Sonsini Goodrich & Rosati
On June 3, 2022, members of the United States Congress released a draft bipartisan, bicameral discussion of a comprehensive national data privacy and security framework. The bill is notable for reflecting a compromise on the two issues that have vexed lawmakers seeking federal privacy legislation for years: preemption and the private right of action. The House Energy and Commerce Committee announced a June 14 hearing to discuss the project.
The discussion bill has become widely known as the “three corners” bill, as it has the support of three of the four “corners” of the relevant committees: the chairman and ranking member of the energy committee and of Commerce and the Ranking Member of the Senate Commerce Committee. Notably, the fourth “corner,” Senate Commerce Committee Chair Maria Cantwell, is circulating her own draft.1 While there are similarities between the two drafts, the differences reflect likely sticking points between the negotiators.
Overlap and similarities
Both drafts would apply to all entities under the jurisdiction of the Federal Trade Commission (FTC), as well as common carriers and not-for-profit entities. They would both require these entities to do the following:
- limiting the amount of consumer data that may be collected, processed or transferred (i.e. data minimization);
- generally refrain from offering consumers financial inducements to waive their privacy rights;
- maintain privacy policies and provide consumers with rights to access, correct, delete and port data;
- implement reasonable data security;
- obtain consumer consent for the collection, processing and transfer of sensitive data (e.g. health, geolocation, race, sexual orientation);
- give consumers the option to opt out of targeted advertising2 and transfer of data to third parties,3 with the FTC to study the feasibility of a global opt-out and enact a rule if it deems such an opt-out feasible;
- refrain from any algorithmic discrimination; and
- implement data governance requirements, such as the requirement to have one or more privacy officers and data security officers.
In terms of the enforcement regime, the two bills would have the following effects:
- provide for enforcement by the FTC and state attorneys general;
- allow the FTC to seek civil penalties for first offenses, with the penalties being directed to a victim relief fund within the United States Department of Treasury that the FTC can use to repair victims;
- generally prevail over state laws;4 and
- create a limited private right of action (see our discussion of sticking points below).
The Three Corners draft includes some provisions not present in Cantwell’s draft, but which Senator Cantwell would likely support, including: 1) the creation of a registry of data brokers and the ability for consumers to request data brokers to s refrain from collecting their data; 2) additional protections for children and adolescents; 3) a broad definition of “express affirmative consent,” which includes a prohibition on seeking consent through dark patterns; and 4) an obligation for companies to disclose whether they transfer personal data to Russia, China, Iran or North Korea. These provisions were likely added by Democratic sponsors, and Senator Cantwell would likely agree with their inclusion; they were presumably added to the Three Corners Bill later in the drafting process and therefore did not make it into Senator Cantwell’s draft.
Differences and sticking points
There are some areas where the two bills diverge, signaling likely sticking points in the negotiations:
- Private right of action: In both bills, the private right of action would cover only certain provisions. For example, there would be no private right of action for the data minimization provisions or some of the data governance provisions. In the Cantwell Bill, private rights of action could begin on the effective date of the legislation; notice and a right of relief would be required to obtain an injunction, but not monetary relief; and binding pre-litigation arbitration clauses would be prohibited for seriously privacy-intrusive practices. In the Three Corners Bill, private rights of action would not be permitted until four years after the effective date of the legislation; small businesses would have an additional right to healing; and most binding pre-dispute arbitration clauses would be permitted. In addition, the bill would require potential class action plaintiffs to notify the FTC and the applicable state attorney general before filing suit, and plaintiffs could not sue if those entities take action.
- Duty of loyalty: Both bills include a “duty of loyalty” section. The Three Corners Bill limits the duty of loyalty to 1) a requirement to minimize the amount of data collected, 2) specific prohibitions on certain behaviors (e.g. prohibition on transferring SSN, non-consensual intimate images) and 3) a prohibition on providing financial inducements to waive rights under the bill. In addition to including similar provisions, Cantwell’s version would also prohibit misleading and harmful data practices. Cantwell’s bill defines harmful data practices as including practices that cause or are likely to cause financial, physical or reputational damage, or an offensive intrusion into an individual’s solitude or isolation. , where such intrusion would be offensive to a reasonable person. An outright ban on harmful data practices would likely have broad implications. Under current law, a practice can only be actionable if the harmful data practices are not outweighed by counterbalancing benefits to consumers or competition.
- Safe Ports: The Three Corners Bill includes an exemption provision that would allow companies to work with approved third parties to have their privacy practices deemed compliant. Cantwell’s project does not include a safe harbor.
- Whistleblower protections: While the Cantwell Draft specifically provides some legal protections for whistleblowers, the Three Corners Draft does not.
- Independent Judicial Authority for the FTC: Cantwell’s bill would allow the FTC to seek civil penalties on its own behalf, rather than having to partner with the US Department of Justice.
- Exceptions for small businesses and increased requirements for large data holders: Both bills contain exceptions for small businesses. For example, small businesses do not have to comply with requirements to implement data portability or implement particular security measures (eg, vulnerability assessment). But the bills define “small business” differently. The Three Corners Bill would exempt companies that, in the previous three years, made less than $41 million in revenue, collected or processed the data of fewer than 100,000 people, and earned no more than 50% of their revenue from the transfer of consumer data. The Cantwell bill has similar data thresholds for the exemption, but would only exempt companies that in the previous three years have less than $25 million in revenue. Both bills also contain increased requirements for “big data holders.” For example, big data custodians must perform algorithmic impact assessments, have privacy and security officers reporting to the CEO, and require their CEOs to perform annual certification of compliance with the bill’s requirements. . The Three Corners Bill defines big data holders as entities that have annual gross revenues of more than $250 million and that collect, process or transfer the personal data of five million consumers (or the sensitive data of 100,000 consumers). The Cantwell bill does not include the revenue threshold, but defines as large data holding entities that process or transfer covered data of more than five million individuals or devices, or process or transfer covered sensitive data more than 100,000 individuals or devices.
Take away food
So what’s the bottom line? Will there be federal legislation this year? Here are some takeaways:
- Both projects borrow heavily from concepts already laid out in state privacy laws and the GDPR. Companies that already comply with these requirements will have a significant head start if this legislation is passed.
- Despite the stumbling blocks, the negotiators have made enormous progress. The Republicans seem to have caved in on some points (including a private right of action) and the Democrats seem to have caved in on some points (including pre-emption). The consensus on the substantive provisions is remarkable and seems to reflect a genuine interest in trying to get something. It’s a shining example of how a functional Congress can work.
- At the same time, given the prominence of sticking points and the countdown to Congress, federal privacy legislation may not be enacted this year. Nevertheless, states, other committees, and industry groups often draw inspiration from existing projects, so the concepts contained in these projects may appear in other contexts.
Although President Cantwell has not officially released her bill, we have reviewed a widely circulated draft.
Only “big data holders” should do so under the Cantwell Bill. See discussion of big data brokers below.
Service providers are not considered third parties under either bill.
The Cantwell bill preserves “laws relating to biometric or genetic information,” while the Three Corners bill specifically preserves the Illinois Biometric Information Privacy Act and Genetic Information Privacy Act, but it would presumably prevail over other laws in the field of biometrics or genetics. The Cantwell bill would also preserve state criminal or civil laws “regarding malicious behavior involving the use or misuse of personal information.”