We can now take some time to look at the proposed American Privacy Rights Act. This bipartisan piece of legislation was introduced last week. After an initial review, there are some things of note that lead generators should be aware of even though this Act is just in the proposal stage.
-
Most lead generators are covered entities that collect covered data
The Act will only apply to covered entities. A covered entity is an entity that “determines the purposes and means of collecting, processing, retaining or transferring covered data” and any entities that “controls, is controlled by, is under common control with, or shares common branding with another entity”. The second portion of this is interesting because some businesses split out their lead gen operations into a separate entity to minimize risk. However, this proposal does not appear to allow that.
When is data “covered data”? Generally, covered data will be “any information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals”. Basically, any information that a lead generator will collect to share with a partner would fall under this definition.
Most lead generators will be covered entities because they will be determining the why and how customer information is going to be collected and/or transferred to third parties.
-
Most lead generators will be subject to this Act
There is a small business exception to the “covered entity” definition. However, the small business exception only applies to businesses that meet the following criteria:
- The business has average annual gross revenues in the preceding 3 calendar years of less than $40 million
- The business collects, processes, retain, or transfers the “covered data” of less than 200,000 individuals
- The business does NOT transfer “covered data” to a third party for revenue or anything of value
Clearly, lead generators will not be subject to the small business exemption due to the third criteria even if they aren’t producing enough revenue or getting enough traffic to trigger the other two criteria.
-
The Act raises questions about the future of cross-sells
The proposed Act requires data minimization practices which will include not collecting/processing/retaining/transferring covered data beyond what is necessary for a specific product or service requested by the individual OR “communication by the covered entity to the individual reasonably anticipated within the context of the relationship”.
Now, a lead generator could clearly communicate the use of the individual information for cross-sells. But, gone are the days of collecting consumer info and emails and then blindly passing that info to downstream users. Arguably, even a co-branded email that says “Hi John, we got your email from XYZ.com and we thought you would be interested in our offers” would no longer be allowed.
Clear and conspicuous consents for future emails and promotions will be necessary under this proposal.
-
The Act gives specific information on what data security practices a covered entity should have in place
While most lead generators probably already have data security practices, the Act does give specifics on what should be there. More importantly, the Act does seem to recognize not all entities have the same issues and the data security practices for a large company will be different than a smaller company. It also requires the designate of one person at the company to be responsible for both the data security practices AND the compliance issues with the Act.
-
A “consequential decision” opt-out
An entity that uses a covered algorithm to make/facilitate a consequential decision shall provide notice to any individual subject to such use of the covered algorithm AND an opportunity for the individual to opt out of such use of the algorithm. What is a consequential decision? A consequential decision in the proposed act is a determination that uses covered data and relates to an individual or a class’s access to “equal enjoyment of housing, employment, education enrollment or opportunity, healthcare, insurance, or credit opportunities”.
So, basically EVERY lead generation category.
The notice should be clear, conspicuous, and not misleading. It should also give “meaningful information” about how the algorithm works for making the decisions.
Additionally, the disclosure must be made “readily accessible to and usable by individuals with disabilities”. It is fair to assume the this is going to make require your site to be ADA compliant.
Additional guidance will be published by the FTC for compliance with the requirements around the use of algorithms for making consequential decisions.
6. The Act does have a private right of action
Consumers can file private lawsuits against entities violating their rights under the Act. And a lawsuit alleging substantial privacy harm or violation of a minor’s privacy will not be subject to mandatory arbitration even if the consumer consented to an arbitration agreement.
This is just an overview of things that stood out in this Act that would related to lead generators. Bottom line: the Act (if passed) will require lead generation companies to review their data security practices and review the consents they are getting from the consumer. Obviously, since it was just proposed there will probably be changes. And it may not pass, but it does seem like this proposal seems to have more traction than prior proposed federal privacy bills.