On March 20, 2024, the U.S. House of Representatives enacted the privacy bill HR 7520 (“data broker invoice).This is part of another privacy bill, HR 7521, approved by the House of Representatives on March 13, 2024 (“TikTok bill”), a mechanism will be introduced that could lead to the forced sale of TikTok.
The data broker bill (officially known as the Protecting Americans' Data from Foreign Enemies Act of 2024) would allow data brokers under the jurisdiction of the Federal Trade Commission to transfer sensitive personal information of U.S. residents located in the United States. Prohibits sales to business entities. Companies located in, or 20% or more owned by, Russia, China, Iran, or North Korea (referred to as “foreign adversaries”); Because this list is statutory, it is unlikely that it will be expanded by the FTC absent further legislative action.
“Sensitive personal information” is defined in section 7(c) of the bill. This includes social security numbers, other government-issued identifiers, health, financial, biometric, genetic information, location information, and web browsing information. This also includes voicemails, emails, text messages, call information, login credentials, calendar information, and information that reveals a person's status as a member of the military. This definition has more details.
This law only applies to data brokers. Data brokers include organizations that sell information about U.S. residents that is not collected directly from individuals. Excluded are organizations that report or publish news, publishers of publicly available information, and service providers.
The prohibition on the sale of personal information is not limited to the sale of large amounts of data and can be invoked in connection with the sale of information about a single individual. And it covers more than just regular sales, covering any transaction in which a data broker receives consideration of any kind. Similarly, it is not limited to the transmission of data, but also includes providing access to it.
The bill now goes to the Senate. Given the unanimous support in the House of Representatives, it seems likely that the bill will be approved in the Senate. The Tik-Tok bill is likely to be delayed. The ACLU has argued that this amounts to censorship, and some senators have balked at the broad discretion it gives the president. The data broker bill does not have similar concerns.
The White House has expressed support for the Tik-Tok bill, but has so far remained silent on the data broker bill, which overlaps with the Executive Order (“EO”) issued on February 28, 2024. The EO authorizes the Department of Justice to issue regulations governing bulk transfers of personal information to “countries of concern.” Unlike the data broker bill, which targets specific foreign countries by reference to existing law, the EO authorizes the Department of Justice, with the consent of the Secretary of State and the Secretary of Commerce, to identify countries of concern. . In addition to the four countries covered by the data broker bill, the EO also covers Cuba and Venezuela, according to reports.
The Tick Tok bill and the Data Broker bill constitute the first major US privacy legislation in years. It is narrow in the sense that it focuses on foreign adversaries, but it covers a wide range of activities. If passed, the bill would require data brokers to conduct due diligence on their customers to ensure that more than 20% of their customers are not owned by companies that have some relationship with a foreign adversary.
Violating the Data Brokers Act constitutes an unfair and deceptive trade practice and gives the FTC the authority to impose fines and require consent orders. If passed, it would create new compliance concerns for data brokers.