Congress may soon adopt a statute to provide nationwide privacy protection for personal information collected online. How would the new law affect communication service providers (CSPs)?

State privacy initiatives are pushing Congress to enact a nationwide privacy law

Companies that provide services through the internet commonly collect records containing personal facts about their customers. Meanwhile, the service providers increasingly sell those records to third parties, especially for marketing purposes. No one nationwide law protects the privacy of the personal data. Privacy advocates have called for a national privacy law, but in the absence of congressional action, individual states have taken matters into their own hands. Last year California adopted a strong privacy law, and other states have signaled their intent to follow suit. The specter of 50 different privacy mandates has provoked anxiety in the business community.

Arguably, the pro-privacy trend in America was inspired by a strong European privacy law called the General Data Protection Regulation (GDPR), which gained approval in 2016 and took effect in 2018. The GDPR gave “data subjects” the “fundamental right” to decide how their personal information is “controlled” and “processed.” Fines for breaches of the GDPR were set as high as four percent of a violator’s annual revenue. Since the advent of GDPR, many non-European nations have decided to craft similar nationwide privacy laws. Experts believe the widespread legislation could make the GDPR a global standard.

In response to the above policy tensions, congressmen have proposed nearly a dozen privacy laws that would apply nationwide and potentially preempt the state initiatives. The proposals would generally protect the privacy of all Americans who disclose personal information in their online transactions. Some of the legislative approaches would give consumers a privacy-protecting “bill of rights” similar to the GDPR. Other draft statutes would focus more on cyber security and data breach notices. Most of the legal schemes would be implemented through the Federal Trade Commission (FTC).

CSPs already operate under a nationwide privacy law: the SCA

CSPs use online-generated records to register and serve subscribers. These service providers already follow legal guidelines to protect the privacy of the records and disclose them in response to due process requests from law enforcement. The records-management policies are governed by the federal Stored Communications Act (SCA).

How would a new nationwide privacy law be reconciled with the SCA?

A new nationwide privacy law would likely parallel the SCA

None of the data privacy laws percolating on Capitol Hill would abolish or limit the SCA. Instead, the privacy measures would co-exist with the SCA. As a result, CSPs would continue to receive investigative requests from law enforcement. However, a mistake in handing subscriber records could subject the CSP to liability under both the new law and the SCA.

Reviewing a sample of the pending privacy bills reveals the potential interplay between those legal frameworks and the SCA.

The proposed Consumer Data Protection Act (S. 2188) would govern companies that use the internet to collect and share consumer data. It would instruct the FTC to establish a national “Do Not Track” website, similar to the existing “Do Not Call” site, so consumers may opt out of unwanted online marketing. The Act would not cover:

disclosures made to the government that are either required or permitted
by law; … disclosures made pursuant to an order of a court or administrative
tribunal; … disclosures made in response to a subpoena, discovery request,
or other lawful process …. or … disclosures made to investigate, protect
themselves and their customers from, or recover from fraud, cyber attacks,
or other unlawful activity ….
A violation of the Act could trigger an FTC investigation and a fine totaling up to $25 million. In addition, an aggrieved consumer could pursue a private cause of action to recover damages, including punitive damages in egregious cases.

Under the Consumer Data Protection Act, if a law enforcement agency serves a CSP with a valid subpoena for a suspect’s subscriber records, the CSP would be required by the SCA to disclose the records, and the disclosure would be exempt from the Consumer Data Protection Act. However, if the CSP sends a subscriber a marketing message despite the person’s Do-Not-Track command, the CSP could be liable under both the SCA and the Consumer Data Protection Act.

The proposed Information Transparency & Personal Data Control Act (H.R. 6864) would generally govern web site “operators” engaged in the collection and sale of “sensitive personal information,” including financial information. Among other things, the bill would require the operators to: (a) give customers notice and a right of opt-in consent to the use of the sensitive data; and (b) observe policies to protect the privacy and security of the data. The bill would exempt sensitive data uses when the operators are “responding in good faith to valid legal process.” In an enforcement proceeding the FTC could levy a fine of up to $40,000.

Under this statutory formula, suppose a law enforcement agency sends a CSP a valid subpoena to learn a suspect/subscriber’s credit card payment information. Under the SCA, the service provider would properly disclose the credit card details. And because this sensitive personal information would be delivered in response to valid legal process, the disclosure would be exempt from the Information Transparency & Personal Data Control Act. Nevertheless, if the CSP were to sell the credit card data to an internet data broker, the seller could be punished under both the SCA and the Information Transparency & Personal Data Control Act.

The Congressional privacy bills that focus on cyber security and data breaches would likewise apply independently of the SCA. For example, if someone could hack into a CSP’s customer care database and delete subscriber records, the service provider might suffer penalties under both the data breach law and the SCA.

CSPs should prepare to meet both a new nationwide privacy law and the SCA

Congress is responding to growing public pressure for a nationwide data privacy law. The planned national privacy law may parallel some or all of the GDPR. So far, the question for CSPs is not whether such a national law would reduce their obligation to meet the needs of law enforcement. It would not. The new law would likely exempt valid SCA disclosures.

The greater concern is how CSPs would cope with any new privacy law layered atop the SCA. In an age of dual federal privacy regimes, a privacy violation could subject a CSP to two federal enforcement actions. CSPs should therefore prepare their privacy programs for a new source of potential liability.