Addressing the Intersection of Civil Rights and Privacy: Federal Legislative Efforts

FILTER
January 24, 2022
Tatiana Rice
Deputy Director for U.S. Legislation
About Tatiana
Blogs by Tatiana

Last month, the National Telecommunications and Information Administration (NTIA) hosted virtual listening sessions on the intersection of data privacy, equity, and civil rights. Around the same time, the FTC announced that they will begin rulemaking on discriminatory practices in automated decision making, and currently, an influx of state legislation containing civil rights provisions have been introduced. 

Decades of research demonstrate the effects of data processing on existing structural inequalities such as race, gender, and disability, and there have been numerous attempts by federal and state governments to regulate the disparate impacts of data practices on protected classes. Though the intersection of data privacy and civil rights has been discussed in policy circles for years, these bills containing civil rights provisions have been surprisingly under-analyzed.

In the coming weeks and months, FPF will be publishing a blog series to provide an informative overview of government efforts to regulate discriminatory data practices through proposed legislation and executive agency enforcement. This blog is the first in the series and will cover federal legislative efforts.

In sum: 

  • In recent years, both Democrats and Republicans have introduced several comprehensive data privacy bills that would prohibit data processing that violates anti-discrimination laws. There is party division in areas of auditing/reporting burdens and enforcement. 
  • There is also division on the scope of civil rights protections. While some proposals intend to apply data processing activities to what is prohibited under the existing federal anti-discrimination framework, others propose effectively expanding civil rights laws, such as expanding the definition of “protected classes” and extending public accommodation law (which has traditionally only applied to physical spaces) to online sellers of goods and services. 
  • Some representatives and advocates remain concerned about the effects and enforcement of adtech and targeted advertising on marginalized and vulnerable populations.

Leading Federal Comprehensive Data Privacy Bills

Members of Congress have introduced a number of comprehensive data privacy bills in recent years, some of which contain civil rights provisions. The leading proposals from Democratic and Republican leaders in the Senate Commerce Committee are the Consumer Online Privacy Rights Act (COPRA) and the SAFE DATA (Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act).

Table 1 (below) provides a helpful comparison of the key civil rights provisions in each bill. In general, COPRA contains more comprehensive civil rights provisions than the SAFE DATA Act, which mainly codifies unlawful data processing activities under federal anti-discrimination laws and permits the FTC to inform other agencies about potential violations.

Under COPRA, it would be unlawful to conduct discriminatory data processing in areas covered by federal anti-discrimination laws, such as housing, employment, and education, on the basis of a protected class. Protected classes would include those already protected under the law (race, sex, disability, etc.), as well as include new ones such as source of income, familial status, and biometric information. COPRA would also require entities to conduct impact assessments on the accuracy, bias, and potential discrimination of their algorithms. Violations of the law would be enforced through the FTC, state AGs, or through a private right of action, where a plaintiff could recover up to $1,000 per violation per day. Small businesses, however, would be exempt. In comparison (see Table 1), the SAFE DATA Act contains few civil rights provisions.

Table 1.

COPRA, Section 108SAFE DATA, Section 201
Discrimination ProvisionsA covered entity shall not process or transfer covered data on the basis of [protected class] for the purpose of: 

(A) advertising, marketing, soliciting, offering, selling, leasing, licensing, renting, or otherwise commercially contracting for a housing, employment, credit, or education opportunity, in a manner that unlawfully discriminates against or otherwise makes the opportunity unavailable to the individual or class of individuals; OR

(B) in a manner that unlawfully segregates, discriminates against, or otherwise makes unavailable to the individual or class of individuals the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.		Whenever the Commission obtains information that a covered entity may have processed or transferred covered data in violation of Federal anti-discrimination laws, the Commission shall transmit such information…to the appropriate Executive agency or State agency with authority to initiate proceedings relating to such violation.
Algorithmic Decision-making[A] covered entity engaged in algorithmic decision-making…to make or facilitate advertising for housing, education, employment or credit opportunities…or restrictions on the use of, any place of public accommodation, must annually conduct an impact assessment of such algorithmic decision-making that—

(A) describes and evaluates the development of the covered entity’s algorithmic decision-making processes including the design and training data used to develop the algorithmic decision-making process, how the algorithmic decision-making process was tested for accuracy, fairness, bias, and discrimination; and

(B) assesses whether the algorithmic decision-making system produces discriminatory results on the basis of an individual’s or class of individuals’ [protected class]		The Commission shall conduct a study…examining the use of algorithms to process covered data in a manner that may violate Federal anti-discrimination laws.
EnforcementFTC, state attorneys general, and by individuals through a private right of action

A plaintiff bringing suit would not be required to prove injury in fact (a violation alone is the injury) and could seek damages up to $1000/violation (or actual damages, if greater). 

The bill would also invalidate any pre-dispute arbitration agreement that waives claims arising under this law.		FTC, or other appropriate state or federal agency.
Table 1

Federal Sectoral Legislation

In some cases, sectoral efforts have taken a more dynamic approach to addressing specific harms. For example, Senator Markey (D-MA) introduced the Algorithmic Justice and Online Platform Transparency Act, which would prohibit unlawful discrimination in automated decision-making (as opposed to general data processing, as in COPRA and SAFE DATA) and impose transparency requirements mandating review and assessment of algorithms for disparate impact on protected classes. 

Importantly, the bill would explicitly extend public accommodation law to “any commercial entity that offers goods and services through the internet to the general public.” Currently, Title II and III of the Civil Rights Act of 1964 prohibit discrimination on the basis of race, color, national origin, or disability in places of “public accomodation,” such as hotels, restaurants, theaters, and similar physical spaces. The law has not been amended to extend to online commerce (and federal circuit courts are split on the issue with respect to Title III). While COPRA includes “places of public accommodation” within its scope of entities that may not conduct discriminatory data processing, it does not explicitly expand federal anti-discrimination law to online retailers and marketplaces. Markey’s bill would.

In a more recent example, the “Banning Surveillance Advertising Act,” introduced by Anna Eshoo (D-CA) this week, would flatly prohibit targeted advertising based on protected characteristics under current federal anti-discrimination law – such race, color, sex (including sexual orientation and gender expression), and disability. Unlike COPRA, the SAFE DATA Act, and the Markey bill, this legislation contains no small business exemption.

Advocates’ Goals

Most proposals have not gone as far as some civil rights advocates have proposed. For example, the Lawyers’ Committee for Civil Rights Under Law and Free Press introduced a comprehensive Model Bill in March 2019, that would not only would prohibit discrimination in economic opportunities (housing, employment, credit, insurance, or education) and in public accomodations (including any business that offers goods or services through the internet, as in the Markey bill), but also in any manner that would interfere with a person’s right to vote. Similar to COPRA, the Model Bill would also impose auditing requirements for discriminatory processing. 

In the Lawyers’ Committee proposal, the law would be enforced by the FTC, the states, the DOJ Civil Rights Division, or through a private right of action. The civil penalty for violation would be heftier than other legislation, with $16,500 per violation (or up to 4% of annual revenue if punitive damages are warranted or the action is brought by the state).  

Other notable provisions in the Model Bill which are not in COPRA nor the SAFE DATA Act include:

  • Expanded Definition of “Privacy Risk.” The expanded definition would include intangible harms such as psychological harm (anxiety, embarrassment, fear), stigmatization or reputational harm, and disruption from unwanted commercial solicitations. 
  • Shifting Burden of Proof. Typically, a party bringing a civil suit has a duty to prove each assertion or claim. Similar to existing civil rights law, however, the Model Bill would utilize a burden-shifting framework: where if the plaintiff demonstrates disparate impact on the basis of a protected characteristic from a data processing activity, the burden would shift to the defendant to show that such processing was necessary to achieve a substantial, legitimate, and nondiscriminatory interest. If the defendant meets that burden, the burden shifts back to the plaintiff to demonstrate that an alternative policy or practice could serve such interest with a less discriminatory effect. 
  • Affirmative Duty to Interrupt. Entities would have a duty to prevent or aid in preventing civil rights violations under the law, where any entity that makes a conscious effort to avoid actual knowledge of violation and has the ability to prevent or halt such violation shall also be liable. 
  • Targeted Advertising. At least some forms of targeted advertising would be regulated as an unfair and deceptive practice through the FTC, taking into consideration factors like predatory or manipulative practices that harm marginalized populations, as well as methods for promoting diversity and inclusion of small businesses owned by underrepresented populations, amongst others.

We anticipate that the debate regarding the scope and substance of civil rights protections in data privacy policy is just beginning. The NTIA intends to publish a Notice and Request for Comments in the Federal Register regarding this topic, where members of the public unable to participate in the Listening Sessions are encouraged to respond.

Published: Last Updated: January 24, 2022
Tags:

Explore

Issues

authors

dates

Posts by Tatiana

vector,map,of,united,states,of,america,(usa),abstract,blue
Future of Privacy Forum Convenes Over 200 State Lawmakers in AI Policy Working Group Focused on 2025 Legislative Sessions
Read More
ai,laws,and,regulations,concept.,hand,typing,on,laptop,with
FPF Unveils Report on Emerging Trends in U.S. State AI Regulation
Read More
california,state,capitol,building,,sacramento,,california
FPF Highlights Intersection of AI, Privacy, and Civil Rights in Response to California’s Proposed Employment Regulations
Read More
View More