Closer than Apart: Comparing Senate Commerce Committee Bills
Post By: Stacey Gray, Senior Counsel, and Polly Sanderson, Policy Counsel, Future of Privacy Forum
Over the Thanksgiving holiday, we saw for the first time a public Staff Discussion Draft of a federal comprehensive privacy law from the office of Senator Wicker (R-MS), the Chairman of the Senate Commerce Committee. Together with Senator Cantwell (D-WA)’s bill, the Consumer Online Privacy Rights Act, introduced last week with leading Democrat co-sponsors, Senator Wicker’s Discussion Draft represents a significant movement toward bipartisan negotiations in the Senate. We expect to see these negotiations play out during this Wednesday’s Senate Commerce Committee Hearing (12/4 at 10:00 AM), and through the New Year.
How do the two bills, one from leading Democrats, and one from the Republican Chairman, compare to each other? We find them to be closer together on most issues than they are apart: a promising sign for bipartisan progress. Here is FPF’s breakdown of all the major commonalities and differences in the two bills (as they currently exist).
Significant Commonalities (with some differences):
Covered Data – Both bills define covered data as “linked or reasonably linkable,” including inferences or derived data; both exclude employee data, de-identified data, and public records. The Wicker draft would also broadly exempt publicly available information from regulation (a key difference below).
Covered Entities and Small Business Exemption – Both bills would govern commercial businesses, either those already governed by the FTC Act (Cantwell), or those “affecting interstate commerce” (Wicker). Both contain a small business exemption, from the entire bill (Cantwell), or from the bulk of core obligations (Wicker).
Transparency – Both would require detailed public privacy policies, including: categories of data collected/transferred, processing purposes, retention practices, and how to exercise rights. Cantwell additionally would require disclosure of the specific identities of all third parties to which data is transferred (102(b)(3)(B)).
Access – Both would require companies to provide individuals with a copy “or accurate representation” of their data upon “verified request” and the names of third parties to whom it has been transferred (and, in Wicker, the names of service providers), free of charge (although Wicker limits free requests to 2/year).
Deletion, Correction & Portability – Both bills would require companies, upon “verified request” to correct or delete covered data of an individual and inform service providers and third parties of the request, although the Wicker draft uses the phrase “delete or deidentify.” Both would require that data be provided upon request “in a structured, interoperable, and machine-readable format,” “without licensing restrictions,” although to this list Wicker adds the term “standards-based.” Both exclude inferred or derived data from portability requests.
Opt-Outs for Non-Sensitive Data – Cantwell would establish a right to object to data transfers, subject to a process established by FTC rulemaking, within guidelines (clear and conspicuous, centralized, with the ability for individuals to view and change the status of their objection, and informed by the Do Not Call Registry) (105(b)). Wicker would more broadly allow individuals to “object to the processing and transfer” of data, but would not require specific rulemaking on this point (104(d)).
Opt-In for Sensitive Data – Both bills would require “prior, affirmative express consent” for processing of sensitive data, including biometric data (with restrictions on what consent must require, in definitions for Cantwell, and in the text of Sec. 105 for Wicker). The definition of “sensitive data” in the Cantwell bill is significantly broader, containing “browsing history,” “email,” and “phone number” (these are not included in Wicker).
Commercial IRBs for Ethical Research – Among similar lists of enumerated exceptions to individual rights (for e.g. product recalls, audits, etc.), both bills contain an exemption for research governed by commercial IRBs or similar oversight entities meeting standards promulgated by the FTC (Cantwell 110(d)) (Wicker 108(a)).
Privacy and Security Officers & Risk Assessments – Both bills would require companies to appoint a designated privacy officer and security officer, with responsibilities to facilitate compliance with the Acts. In addition, the Cantwell bill would create specific responsibilities to implement and oversee a comprehensive data privacy and security program, including annual “privacy and data security risk assessments,” among their other quality control responsibilities (Sec. 202). Wicker would only require “large data holders” to undergo similar internal “privacy impact assessments” (Sec. 107).
Deepfakes / Digital Content Forgeries – Both bills would require federal agencies (NIST, and in Wicker, NIST and the FTC) to study and produce reports on the definition, assessments and analysis, of “digital content forgeries.”
Algorithmic Bias & Civil Rights – Cantwell would require companies to conduct annual algorithmic decisionmaking impact assessments for bias, and both bills would require the FTC to publish a report (Cantwell) or a report every 5 years (Wicker) examining the uses of algorithms to process covered data in ways that may violate anti-discrimination laws. In addition, Cantwell goes significantly further by directly prohibiting covered entities from processing or transferring covered data on the basis of protected characteristics for specified purposes (Sec. 108).
Significant Differences:
Effective Dates – Cantwell: 180 days after passage; Wicker: 2 years
Publicly available information – While both bills would exclude “public records” from covered data, Cantwell would still govern “publicly available information” (although excluding it from deletion and correction obligations). In contrast, the Wicker draft would exclude all data “widely available to the general public” from the definition of covered data, thus exempting it from all regulation.
Enforcement – While both bills situate the FTC and State AGs as enforcers, the Cantwell bill would also create a broad private right of action for individuals to bring civil actions, and receive penalties of $100-$1,000 per violation per day, or actual damages, whichever is greater; punitive damages; reasonable attorney’s fees and litigation costs; and/or any other judicial relief deemed appropriate.
Preemption – The Wicker bill would preempt very broadly (any state “law, regulation, rule, requirement, or standard related to the data privacy or security and associated activities of covered entities.”) In contrast, the Cantwell bill would not preempt any state laws beyond those “directly conflicting,” to the extent of the conflict.
Children’s Data (Wicker Only) – While the Cantwell bill does not contain any special protections for children’s data, the Wicker draft would require affirmative consent prior to any transfers of data from children under 16. (Wicker 104(c)).
Certification Programs (Wicker Only) – The Wicker draft would allow the FTC to approve self-regulatory “certification programs” developed by businesses or industry associations, so long as they meet certain requirements for eligibility (Sec. 403).
Data Broker Registration Requirements (Wicker Only) – The Wicker draft would require data brokers (a “data broker” is an entity that “knowingly collects or processes on behalf of, or transfers to, third parties the covered data of an individual with whom the entity does not have a direct relationship”) to register basic contact information annually with the FTC, with civil penalties for failing to register.
Executive Responsibility (Cantwell only) – The Cantwell bill would require the CEO or top officer, and the privacy and data security officers, of “large data holders,” to make annual certifications to the FTC regarding adequate internal controls.
Whistleblower Provisions (effectively Cantwell Only) – The Cantwell bill would create robust protections for whistleblowers (defined broadly) against any retaliatory action (also defined broadly), including civil remedies of reinstatement, back pay and damages. In contrast, the Wicker draft defines “whistleblower” narrowly (provider of “original information” to an agency), and provides no legal remedies to individuals; instead, it provides only that the FTC may take into account any retaliation against a whistleblower when assessing penalties.
Did we miss anything? Let us know at [email protected] as we continue tracking these developments.
Starting Point for Negotiation: An Analysis of Senate Democratic Leadership’s Landmark Comprehensive Privacy Bill
Today, Senate Commerce Committee Ranking Member Maria Cantwell (D-WA), joined by top Democrats on the Senate Commerce Committee – Senators Markey, Schatz and Klobuchar – introduced a new comprehensive federal privacy bill, the Consumer Online Privacy Rights Act(COPRA). The bill is consistent with the Senate Democratic leadership positions announced last week and comes in advance of a December 4th Senate Commerce Committee hearingconvened by Senator Wicker (R-Miss), Examining Legislative Proposals to Protect Consumer Data Privacy.
In substance, the bill primarily emphasizes individual control, codifying strong rights for individuals to be informed of data processing, and to be able to access, delete, correct, and port their data. The definition of covered data is broad, aligning with the GDPR and most other US privacy bills to date (data that “identifies, or is linked or reasonably linkable to an individual or a consumer device, including derived data”), although it excludes “de-identified data.” The FTC is tasked with rulemaking to enable centralized opt-outs for non-sensitive data, while “sensitive data” requires opt-in consent.
Notably, the bill contains a nuanced exception to support ethical commercial research if approved, monitored, and governed by an Institutional Review Board (IRB) or an IRB-like oversight entity that meets standards promulgated by the FTC. Such oversight would provide stronger legal protections for “scientific, historical, or statistical research in the public interest” in situations where informed consent is impractical, such as commercial research conducted on Big Data or other large, less readily identifiable datasets.
Below are FPF’s highlights of COPRA’s other provisions.
“Covered entity” is defined in the bill as “any entity or person that is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq) other than a small business.
Excludes small businesses, defined as those that do not maintain an average annual revenue of over $25,000,000; annually process covered data of an average of 50,000 individuals, households, or devices; and derive half or more of their annual revenue from transferring covered data.
Unlike other federal proposals, this bill would not govern non-profit organizations, political campaigns, or any other entity not already subject to the FTC’s jurisdiction.
2. Data Minimization and Data Security
The bill features a general right to data minimization, a provision that may place significant limits on collection of data. Businesses may not process or transfer data beyond what is “reasonably necessary, proportionate, and limited” to (1) carry out the specific processing purposes and transfers described in the privacy policy made available by the covered entity; (2) carry out a specific processing purpose or transfer for which the covered entity has obtained affirmative express consent; or (3) for a purpose specifically permitted by the Act.
Covered entities must maintain “reasonable data security practices,” including specific obligations to assess vulnerabilities, take preventative and corrective actions, implement policies for information retention and disposal, and conduct employee training.
3. Sensitive Data (and Opt-Outs for Non-Sensitive Data)
The bill requires “prior, affirmative, express consent” to collect or process sensitive data, which includes (among other things): biometric data, information that reveals past, present, or future physical or mental health, disability, or diagnosis of an individual, precise geolocation, details of private communications, phone or text logs, race or ethnicity, union membership, sexual orientation or sexual behavior, and intimate images (a notable inclusion that may intersect with Section 230 and bills like the ENOUGH Act). The FTC can also determine other data to be sensitive through rulemaking.
Sensitive data also includes “email address,” “phone number,” and “browsing history,” which are commonly collected for online and mobile advertising and marketing purposes under an “opt out” standard promoted by industry self-regulation bodies.
Prior, affirmative opt-in consent is required for both processing and transferring of sensitive data. For all other data (“non-sensitive”), the bill provides a right to opt-out of the transfer of personal information, with the FTC tasked with promulgating rules for how such opt-outs should be governed, including the extent to which they may be centralized in ways similar to the FTC’s Do Not Call Registry.
4. Third Parties and Service Providers
Third parties and service providers are defined similarly to how these terms are defined in the California Consumer Privacy Act:
“Service providers” are entities that process or transfer covered data “in the course of performing a service or function on behalf of, and at the direction of, another covered entity,” but only to the extent that such processing or transferral (i) relates to the performance of such service or function; or (ii) is necessary to comply with a legal obligation or to establish, exercise, or defend legal claims.
“Third parties” include any other non-service provider entity that processes or transfers third party data; and that is not under common ownership, corporate control, and branding as the covered entity.
Businesses must identify “third parties” to whom data is shared, and allow individuals to opt-out or object to transfers of data to third parties through rules promulgated by the FTC. Service providers may not transfer data to a third party without express affirmative consent from the linkable individual. Meanwhile, “third parties” are prohibited from processing covered data in a manner “inconsistent with the expectations of a reasonable individual.”
The bill also requires the FTC to promulgate strict rules limiting processing and restricting transfers of “biometric data” to third parties.
5. Interaction with State and Federal Laws
This law preempts only “directly conflicting” state laws, and then only to the extent of the conflict. It does not preempt any aspects of state laws that afford “a greater level of protection to individuals protected under this Act.”
Similarly, it would not preempt or displace any “common law rights or remedies, or any statute creating a remedy for civil relief, including any cause of action for personal injury, wrongful death, property damage, or other financial, physical, reputational, or psychological injury based in negligence, strict liability, products liability, failure to warn, an objectively offensive intrusion into the private affairs or concerns of the individual, or any other legal theory of liability under any Federal or State common law, or any State statutory law.”
Similarly, the bill does not supersede any existing federal sectoral laws. However, covered entities that are already required to comply with privacy requirements of federal sectoral laws — including Gramm-Leach-Bliley, the Fair Credit Reporting Act (FCRA), the Health Information Technology for Economic and Clinical Health Act, the Family Educational Rights and Privacy Act (FERPA), or Health Insurance Portability and Accountability Act (HIPAA) — will be “deemed to be in compliance” with the related requirements of the Act (with the exception of the data security requirements in Section 107).
6. Algorithmic Discrimination and Civil Rights
The bill prohibits covered entities from processing or transferring covered data on the basis of an individual’s or class of individuals’ actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, biometric information, lawful source of income, or disability – (A) for the purpose of advertising, marketing, soliciting, offering, selling, leasing, licensing, renting, or otherwise commercially contracting for a housing, employment, credit, or education opportunity, in a manner that unlawfully discriminates against or otherwise makes the opportunity unavailable to the individual or class of individuals; or (B) in a manner that unlawfully segregates, discriminates against, or otherwise makes unavailable, to an individual or class of individuals, goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.
Covered entity must designate privacy and security officers (see below) who among other things are required to annually conduct algorithmic decision-making impact assessments. These assessments must describe and evaluate the development of the entity’s algorithmic decision-making processes (including the design and training data used to develop the algorithmic decision-making process), how they were tested for accuracy, fairness, bias, and discrimination, and whether the system produces discriminatory results on the basis of protected characteristics. A covered entity may use external, independent auditors or researchers to make such assessments.
Three years after enactment, the bill provides that the Commission shall publish a report containing the results of a study examining the use of algorithms for the purposes of processing or transferring covered data to make or facilitate advertising for housing, education, employment, or credit opportunities, or determining access to any place of public accommodation.
The bill disallows covered entities from charging individual fees to exercise their rights, and prohibits covered entities from conditioning a service or product to an individual in exchange for waiving privacy rights.
7. Enforcement, Accountability, and Whistleblower Protections
Within two years, the bill calls for the Federal Trade Commission to establish a “new Bureau” within the Commission. The purpose of the new Bureau would be to assist the Commission in exercising their authority under the Act and other Federal laws addressing privacy, data security, and related issues. Violations of the Act are treated as unfair or deceptive acts under the FTC Act, and are enforceable by the Federal Trade Commission. State Attorneys General are also able to bring actions under the Act. The bill also gives the Federal Trade Commission broad rulemaking authority to promulgate regulations under the Act.
The individual rights granted by the bill are complemented by a private right of action, and the bill provides that any violation of the Act, or of a regulation promulgated under it, should be considered an “injury in fact.” The bill also renders pre-dispute arbitration agreements and joint action waivers invalid or unenforceable with respect to privacy or data security disputes.
The bill also mandates that the chief executive officer, CISO and chief privacy officers of “large data holder[s]” must annually certify to the Commission that the entity maintains adequate internal controls to comply with the Act. “Large data holder” is defined as an entity that, in the last calendar year, processed or transferred the covered data of more than 5,000,000 individuals, devices, or households; or processed or transferred the sensitive data of over 100,000 individuals, devices, or households.
The bill prohibits covered entities from discharging, demoting, suspending, threatening, harassing, or in any other manner discriminating against a covered individual of the entity for, inter alia, taking a lawful action in providing the Federal Government or State Attorney General with information relating to acts or omissions they believe to be violations of the Act or regulations promulgated under the Act. Various forms of relief are available, including reinstatement, back pay, financial damages, and attorneys’ fees.
The bill calls for the designation of qualified employees as privacy and data security officers to facilitate the covered entities ongoing compliance with the Act. Among others, responsibilities include the facilitation of ongoing compliance with the Act; the implementation of comprehensive privacy and data security programs; employee training & risk assessments; and annually conducting mandated algorithmic decision-making impact assessments (described above).
READ MORE:
Senator Cantwell’s Press Release (11.26.19) – Link
FPF CEO Jules Polonetsky’s Statement (11.26.19) – Link
Witnesses and Details for December 4th Hearing – Link
Statement by Future of Privacy Forum CEO Jules Polonetsky on the Consumer Online Privacy Rights Act
WASHINGTON, DC – November 26, 2019 – Statement by Future of Privacy Forum CEO Jules Polonetsky regarding the introduction of a new comprehensive federal privacy bill, the Consumer Online Privacy Rights Act(COPRA), proposed today by Senators Maria Cantwell, Amy Klobuchar, Brian Schatz, and Ed Markey:
“This is the most sophisticated federal proposal to emerge to date and demonstrates that Senate Democrats are committed to setting a high bar for consumer privacy. The bill would codify strong individual rights, meeting and exceeding the California Consumer Privacy Act. It also requires companies to implement training and accountability measures and includes a nuanced exception to support ethical research. The bill provides a strong starting point that will move bipartisan debate forward, with private rights of action, limits on preemption, and the definition of sensitive data, among other issues, likely to be points of ongoing negotiation.”
# # #
The Future of Privacy Forum will post a more detailed analysis of the legislation on its blog.
Future of Privacy Forum is a global non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. Learn more about FPF by visiting www.fpf.org.
Questions to Ask Before You Buy a Genetic Testing Kit on Black Friday
By Rachele Hendricks-Sturrup and Katelyn Ringrose
On Black Friday and Cyber Monday, millions of consumers will hurry to their nearest doorbuster sale or boot up their favorite sales portal to buy a price-slashed consumer genetic testing kit. Some genetic testing kits will be up to half off this year, and the market as a whole is projected to more than triple from a valuation of $99 million this past year to a projected $310 million in 2022.
Last year on Black Friday, AncestryDNA alone sold about 1.5 million testing kits. According to Wired, that means that consumers sent in around 2,000 gallons of saliva—enough spit to fill a modest above-ground swimming pool. Consumers are drawn to the tests for genealogical purposes, and new market offerings are being used as strategies to help raise consumer awareness on genetic health risks.
With that much genetic material exchanging hands, it is important for consumers to think carefully about which kit provider will prioritize consumer privacy.DNA contains deeply personal information which can be incredibly beneficial for consumers. But that same information may also contain unexpected and deeply personal information that could be unsettling, and reveal information about the test taker’s family members. It deserves a high standard of protection.
However, laws like the Health Insurance Portability and Accountability Act (HIPAA), the central U.S. health privacy law, do not apply to genetic information collected and housed by consumer genetic testing companies. Due to this regulatory gap, consumers should find out from the companies themselves, and prior to buying a test for themselves or a loved one, how the companies will protect and use the genetic data they provide and collect.
Here are five important questions consumers should ask before buying a genetic testing kit on Black Friday or Cyber Monday:
Does the Company Ask for Your Consent Before Sharing Your Individual-Level Genetic Data with Third Parties? People choose to share their genetic data with third parties for a range of purposes (e.g., to participate in scientific research or connect with unknown biological relatives). However, genetic testing companies should never share your individual-level genetic data with third parties without your knowledge and consent, particularly with insurers, employers, and educational institutions.
Do You Have the Ability to Delete Your Genetic Data and Destroy Your Biological Sample If You Choose? Companies may have default policies to destroy all samples once testing is completed, retain data or samples for only a finite period of time or in accordance with regulations, or retain data and samples indefinitely or until you close your account. Companies should be clear about their retention practices and offer prominent ways to delete your genetic data from their databases and destroy your biological sample.
Does the Company Require a Valid Legal Process Before They will Disclose Your Genetic Data to Law Enforcement? As we have seen in prolific cases like the Golden State Killer, genetic data can be a powerful investigative tool for government. However, government access to your genetic data presents substantial privacy risks. Companies should require that government entities obtain valid legal process, like a warrant, subpoena, or a legal order before they disclose genetic data.
What are the Company’s Notification Practices When it Comes to Conveying Material Changes to Their Privacy Policies? Companies may modify their privacy policies or statements occasionally, and sometimes they significantly change how genetic data is collected, used, and stored. But before changes are implemented, you should be notified and given an opportunity to review the changes to decide if you want to continue using the company’s services.
Has the Company Committed to Strong Technical Data Security Practices? As more than 26 million individuals have had their DNA tested, the potential for hacking and data breaches is an increasing concern. Given the uniqueness of genetic data, companies should maintain a comprehensive security program through practices such as: secure storage of biological samples and genetic data, encryption, data-use agreements, contractual obligations, and accountability measures.
For consumers who are interested in learning more, the Future of Privacy Forum’s Privacy Best Practices for Consumer Genetic Testing Services set forth standards for the collection, use, and sharing of genetic data. The standards embrace express consent mechanisms for the transfer of data to third parties and have provisions restricting marketing based on genetic data, among other privacy-centric protections. Companies that currently support these best practices include: Ancestry, 23andMe, Helix, MyHeritage, Habit, African Ancestry, and Living DNA.
Before you buy a genetic test kit as a gift or for yourself for this holiday season, take a moment to consider how our genetic information shapes who we are… and whether you are dealing with a company that promises to protect it.
For more information and to learn how to become involved with FPF’s health privacy efforts, please contact Katelyn Ringrose at [email protected] or Rachele Hendricks-Sturrup at [email protected].
FPF Welcomes New Members to the Youth & Education Privacy Project
We are thrilled to announce three new members of FPF’s Youth & Education Privacy team. The new staff – Jasmine Park, Anisha Reddy, and Katherine Sledge – will help expand FPF’s technical assistance and training, resource creation and distribution, and state and federal legislative tracking.
You can read more about Katherine, Anisha, and Jasmine below. Please join us in welcoming them to the team!
Jasmine Park
Jasmine Park is a Policy Fellow for the Youth and Education Privacy Project. Jasmine is primarily supporting FPF’s outreach, training, and technical assistance for local and state education agencies (LEAs and SEAs), including FPF’s pilot Train-the-Trainer program and the K-12 privacy working group for LEA/SEA staff. She will also be helping to grow FPF’s child privacy portfolio in the U.S. and abroad. Jasmine recently graduated with an M.A. in Global Affairs from the Yale Jackson Institute for Global Affairs, where she focused on tech policy and digital anthropology. From 2015 to 2017, Jasmine served as a Peace Corps Volunteer in Cambodia, where she gained two years of on-the-ground experience as an educator. She worked closely with local government, school administrators, law enforcement, and community leaders to conduct needs assessments and to provide access to the training and resources necessary to address self-identified needs. She previously interned with the Los Angeles Mayor’s Office of International Affairs and Asian Americans Advancing Justice. Jasmine serves on the board of Brio, a nonprofit that empowers local partners to design and launch mental health solutions in vulnerable communities globally. Jasmine received her B.A. cum laude in History and East Asian Studies from Harvard University.
I most look forward to joining the FPF Education Privacy team’s efforts to equip local administrators with the knowledge and tools they need to implement best practices in their communities.
Anisha Reddy
Anisha Reddy is a Policy Fellow for the Youth and Education Privacy Project. Anisha is primarily supporting FPF’s state and federal legislative analysis and resources. Anisha is also running FPF’s K-12 working group for edtech companies and overseeing the bi-weekly education privacy newsletter. At Penn State’s Dickinson Law, Anisha was honored with the University’s 2017-2018 Montgomery and MacRae Award for Excellence in Administrative Law. She held the offices of Executive Editor for Digital Media of the Dickinson Law Review, President of the Asian Pacific Law Students Association, and Vice President of the Women’s Law Caucus. Anisha served as a Certified Legal Intern for the Children’s Advocacy Clinic in Carlisle, PA, where she represented children involved in civil court actions like adoption, domestic violence, and custody matters. She previously interned at the Governor of Pennsylvania’s Office of General Counsel, at Udacity in Mountain View, CA and at Blockchain, Inc. in New York, NY.
I’m most excited about the unique opportunity to impact the way the student privacy conversation is framed by helping include the voices of all stakeholders – not just the edtech industry – but parents, districts, and the students themselves.
Katherine Sledge
As the Policy Manager for Youth and Education Privacy at the Future of Privacy Forum, Katherine manages the progression of projects related to youth and student privacy at FPF. Before coming to FPF, Katherine worked with the executive team at the National Network to End Domestic Violence. She also has national and state-level political advocacy experience at the National Alliance to End Homelessness and the ACLU. Prior to transitioning to a career in public policy, Katherine was the Operations Specialist at an environmental firm that specializes in remediation projects. In that role, Katherine headed administrative and logistical support for environmental projects across the US.
Katherine graduated from American University with a Master of Public Administration with a custom concentration in Applied Politics: Women, Public Policy, and Political Advocacy. In addition to the core public management curriculum, Katherine focused her studies on the intersection of public policy and gender, as well as advocacy strategy, process, and best practices. Originally from Tennessee, Katherine attended the University of Tennessee, Knoxville, where she earned her B.A. in Political Science.
Interested in student privacy? Subscribe to our monthly education privacy newsletter here. Want more info? Check out FERPA|Sherpa, the education privacy resource center website.
What They’re Saying: Stakeholders Warn Senate Surveillance Bill Could Harm Students, Communities
Parents, privacy advocates, education stakeholders, and members of the disability rights community are raising concerns about new Senate legislation that would mandate unproven student surveillance programs and encourage greater law enforcement intervention in classrooms in a misguided effort to improve school safety.
Last week, Senator John Cornyn (R-TX) introduced the RESPONSE Act, legislation that is intended to help reduce and prevent mass violence in communities. However, the bill includes a provision to dramatically expand the Children’s Internet Protection Act and would require almost every U.S. school to implement costly network monitoring technology and collect massive amounts of student data.
The legislation also requires the creation of school-based “Behavioral Intervention Teams” that will be strongly encouraged to refer concerning student behavior directly to law enforcement, rather than allowing educators who know students best to engage directly and address the issue internally. This provision would likely strengthen the “school to prison pipeline” and could be especially harmful for students of color and students with disabilities.
Take a look at What They’re Saying about the legislation:
A new Republican bill that claims ‘to help prevent mass shootings’ includes no new gun control measures. Instead, Republican lawmakers are supporting a huge, federally mandated boost to America’s growing school surveillance industry… There is still no research evidence that demonstrates whether or not online monitoring of schoolchildren actually works to prevent violence.
Training behavioral assessment teams to default to the criminal process rather than school-based behavioral assessment and intervention would do little to address violence in schools and would likely foster rather than prevent a violent school environment … By making the criminal process the frontline for student discipline, this bill will only serve to increase the number of students of color and students with disabilities in the juvenile justice system.
Leslie Boggs, national PTA president, said in a statement that the organization has concerns with the bill asit is currently written. She said the PTA will work with Cornyn’s staff “to ensure evidence-based bestpractices for protecting students are used, the school to prison pipeline is not increased, students are not discouraged from seeking mental health and counseling support and that students’ online activities are not over monitored.”
Privacy experts and education groups, many of which have resisted similar efforts at the state level, say that level of social media and network surveillance can discourage children from speaking their minds online and could disproportionately result in punishment against children of color, who already face higher rates of punishment in school.
Generational gaps between adults and teens make for hefty communication barriers, and a private Facebook message that might read as “dangerous” to a grown law enforcement officer could easily just be two children goofing off… whenever they go online, students would be forced to think about what the government or their school would like and dislike, driving what Republicans so often claim to be against — mental conformity to institutional, government-driven norms. Students’ fears of being watched (and reported) would also inevitably widen the gap between government schools and their students. Surveillance accompanied by the threat of penalty would result in mass distrust from students toward the education system: a reinforced “us versus them” mentality between students and the adults in charge.
Schools are already deploying significant digital surveillance systems in the name of safety…But critics say these surveillance systems vacuum up a huge and irrelevant stream of online data, can lead to false positives, and present huge problems for privacy.
Unfortunately, the proposed measures are unlikely to improve school safety; there is little evidence that increased monitoring of all students’ online activities would increase the safety of schoolchildren, and technology cannot yet be used to accurately predict violence. The monitoring requirements would place an unmanageable burden on schools, pose major threats to student privacy, and foster a culture of surveillance in America’s schools. Worse, the RESPONSE Act mandates would reduce student safety by redirecting resources away from evidence-based school safety measures.
Billed as a response to school shootings, [the RESPONSE Act] has, as critics noted, almost nothing to do with guns, and a great deal to do with increasing surveillance (as well as targeting those with mental health issues)…Not everyone will find this troubling… But if you want to erode civil liberties and traditions of privacy, it’s best to start with people who don’t have the political power to fight back. Children are ideal–not only can’t they fight back, but they will grow up thinking it’s perfectly normal to live under constant surveillance. For their own safety, of course.
ICYMI: New Senate Legislation Mandates “Pervasive Surveillance” in Attempt to Improve School Safety
WASHINGTON, D.C. – Legislation introduced in the U.S. Senate this week is under scrutiny from privacy and disability rights advocates for provisions that would dramatically expand surveillance technologies in schools nationwide, despite lack of evidence or research to confirm these tools have any effect on preventing or predicting school violence.
According to The Guardian, “A new Republican bill that claims ‘to help prevent mass shootings’ includes no new gun control measures. Instead, Republican lawmakers are supporting a huge, federally mandated boost to America’s growing school surveillance industry… There is still no research evidence that demonstrates whether or not online monitoring of schoolchildren actually works to prevent violence.”
Future of Privacy Forum Senior Counsel and Director of Education Privacy Amelia Vance highlighted the challenges and unintended consequences that could result from the RESPONSE Act sponsored by Senator John Cornyn (R-TX):
Privacy advocates say pervasive surveillance is not appropriate for an educational setting, and that it may actually harm children, particularly students with disabilities and students of color, who are already disproportionately targeted with school disciplinary measures.
“You are forcing schools into a position where they would have to surveil by default,” said Amelia Vance, the director of education privacy at the Future of Privacy Forum.
“There’s a privacy debate to be had about whether surveillance is the right tactic to take in schools, whether it inhibits students trust in their schools and their ability to learn,” Vance said. But “the bottom line,” she said, is “we do not have evidence that violence prediction works”…
If Cornyn’s bill becomes law, “you’re going to force probably 10,000 districts to buy a new product that they’re going to have to implement”, she said.
That would mean redirecting public schools’ time and money away from strategies that are backed by evidence, such as supporting mental health and counseling services, and towards dealing with surveillance technologies, which often produce many false alarms, like alerts about essays on To Kill a Mockingbird.
Increased Surveillance is Not an Effective Response to Mass Violence
By Sara Collins and Anisha Reddy
This week, Senator Cornyn introduced the RESPONSE Act, an omnibus bill meant to reduce violent crimes, with a particular focus on mass shootings. The bill has several components, including provisions that would have significant implications for how sensitive student data is collected, used, and shared. The most troubling part of the proposal would broaden the categories of content schools must monitor under the Children’s Internet Protection Act(CIPA); specifically, schools would be required to “detect online activities of minors who are at risk of committing self-harm or extreme violence against others.”
Unfortunately, the proposed measures are unlikely to improve school safety; there is little evidence that increased monitoring of all students’ online activities would increase the safety of schoolchildren, and technology cannot yet be used to accurately predict violence. The monitoring requirements would place an unmanageable burden on schools, pose major threats to student privacy, and foster a culture of surveillance in America’s schools. Worse, the RESPONSE Act mandates would reduce student safety by redirecting resources away from evidence-based school safety measures.
More Untargeted Monitoring is not the Answer
About 95% of schools are required to create internet safety policies under CIPA (these requirements are tied to schools’ participation in the “E-rate” telecommunications discount program). CIPA requires safety policies to include technology that monitors, blocks, and filters students’ attempts to access inappropriate online content. CIPA generally imposes monitoring requirements regarding: obscene content; child pornography; and content that is otherwise harmful to minors.
The RESPONSE Act would impose new obligations, requiring schools to infer whether a students’ internet use might indicate they are at risk of committing self-harm or extreme violence against others. However, there is little evidence that detecting or blocking this kind of content is technically possible and would prevent physical harm. A report on school safety technology funded by the U.S. Department of Justice noted that violence prediction software is “immature technology.” Not only is the technology immature, the FBI found that there is no one profile for a school shooter: scanning student activity to look for the next “school shooter” is unlikely to be effective.
By directing schools to implement “technology protection measure[s] that detect online activities of minors who are at risk of committing self-harm or extreme violence against others,” the RESPONSE Act would essentially require that all schools across the nation implement some form of comprehensive network or device monitoring technology to scan lawful content–a direct violation of local control and a serious invasion of students’ privacy.
This broad language could encourage schools to collect as much information as possible about students, requiring already overwhelmed faculty and administrators to spend countless hours sifting through contextually harmless student data–hours that could be better spent engaging with students directly.
Additionally, this technology mandate could limit schools’ ability and desire to implement more thoughtful and effective programs and policies designed to improve school safety. Schools may assume that network monitoring technology is more effective than it actually is, and redirect resources away from evidence-based school safety measures, such as holistic approaches to early intervention. Further, without more guidance, school administrators would be forced to make judgement calls that result in the over-monitoring of student online activity.
The cost associated with the implementation of these technologies goes beyond buying appropriate network monitoring software, which is a burden in and of itself. Schools—which are under-resourced and under-staffed—would experience difficulty devoting funds and staff time to monitoring these alerts, as well as developing policies for responses to those alerts. These burdens are further compounded in rural school districts that already receive less funding per student.
False Alerts Unjustly Trap Students in the Threat Assessment Process
In some cases, network monitoring does not end when the school day ends. Schools often issue devices for students to take home or online accounts students access from a device at home. Under the RESPONSE Act, these schools would be forced to monitor students constantly. If a school gets an alert during non-school hours, their default action may be to alert law enforcement. But sending law enforcement to conduct wellness checks is not a neutral action. These interactions can be traumatic for students and families, and can result in injury or false imprisonment. These harms are exacerbated when monitoring technology provides overwhelming numbers of false positives.
Even if content monitoring technology were effective, the belief that surveillance has no negative outcomes or consequences for students has created a pernicious narrative. Surveillance technologies, like device, network, or social media monitoring services, can harm students by stifling their creativity, individual growth, and speech. Constant surveillance also conditions students to expect and accept that authority figures, such as the government, will always monitor their activity. We also know that students of color and students with disabilities are disproportionately suspended, arrested, and expelled compared to white students and non-disabled students. The RESPONSE Act’s proposed new requirements would only serve to further exacerbate this disparity.
Schools, educators, caregivers, and communities are in the best position to notice and address concerning student behavior. The Department of Education has several resources outlining effective disciplinary measures in schools, finding that “[e]vidence-based, multi-tiered behavioral frameworks . . . can help improve overall school climate and safety.”
Ultimately, requiring schools to spend money on ineffective technology would divert much-needed resources and staff from providing students with a safe learning environment. Rather than focusing on filtering content, schools should emphasize the importance of safe and responsible internet use and use school safety funding on evidence-based solutions. By doing so, administrators can create a school community built on trust rather than suspicion.
FPF Receives Grant To Design Ethical Review Process for Research Access to Corporate Data
One of the defining features of the data economy is that research is increasingly taking place outside of universities and traditional academic settings. With information becoming the raw material for production of products and services, more organizations are exposed to and closely examining vast amounts of personal data about citizens, consumers, patients and employees. This includes companies in industries ranging from technology and education to financial services and healthcare, and also non-profit entities, which may seek to advance societal causes, or other agenda-driven projects.
For research on data subject to the Common Rule, institutional review boards (IRBs) provide an essential ethical check on experimentation and research. However, much of the research relying on corporate data is beyond the scope of IRBs, because the data has been previously collected, the project or researcher is not federally funded, the data may be a public data set or other reasons.
Future of Privacy Forum (FPF) has received a Schmidt Futures grant to create an independent party of experts for an ethical review process that can provide trusted vetting of corporate-academic research projects. FPF will establish a pool of respected reviewers to operate as a standalone, on-demand review board to evaluate research uses of personal data and create a set of transparent policies and processes to be applied to such reviews.
FPF will define the review structure, establish procedural guidelines, and articulate the substantive principles and requirements for governance. Other considerations to be addressed include companies’ common concerns about risk analysis, disclosure of intellectual property and trade secrets, and exposure to negative media and public reaction. Following this phase, members who can be available for reviews will be recruited from a range of backgrounds. The project will include input and review by government, civil society, industry and academic stakeholders.
Sara Jordan, who will be cooperating with FPF on this project, has proposed one model for addressing this challenge. Her paper, Designing an AI Research Review Committee, calls for a review committee dedicated to ethical oversight of AI research by giving serious consideration of the design of such an organization. This model proposes a design for such a committee drawing upon the history and structure of existing research review committees such as IRBs, Institutional Animal Care and Use Committees (IACUC), and Institutional Biosafety Committees. This model follows that of the IBC but with a blend of features from human subject and animal care and use committees in order to improve implementation of risk-adjusted oversight mechanisms.
Another analysis and recommendation was published recently by Northeastern University Ethics Institute and Accenture: Building Data and AI Ethics Committees. This paper comments that an ethics committee is a potentially valuable component of accomplishing responsible collection, sharing, and use of data, machine learning, and AI within and between organizations. However, to be effective, such a committee must be thoughtfully designed, adequately resourced, clearly charged, sufficiently empowered, and appropriately situated within the organization.
Likewise the EU is considering these challenges with several recent AI guidance publications including the Council of Europe established an ad hoc committee on Artificial Intelligence, which will examine the feasibility and potential elements on the basis of broad multi-stakeholder consultations, of a legal framework for the development, design and application of artificial intelligence, based on Council of Europe’s standards on human rights, democracy and the rule of law.
BACKGROUND
The ethical framework applying to human subject research in the biomedical and behavioral research fields dates back to the Belmont Report. Drafted in 1976 and adopted by the United States government in 1991 as the Common Rule, the Belmont principles were geared towards a paradigmatic controlled scientific experiment with a limited population of human subjects interacting directly with researchers and manifesting their informed consent. These days, researchers in academic institutions as well as private sector businesses not subject to the Common Rule, seek to conduct analysis of a wide array of data sources, from massive commercial or government databases to individual tweets or Facebook postings publicly available online, with little or no opportunity to directly engage human subjects to obtain their consent or even inform them of research activities. Data analysis is now used in multiple contexts, such as combatting fraud in the payment card industry, reducing the time commuters spend on the road, detecting harmful drug interactions, improving marketing mechanisms, personalizing the delivery of education in K-12 schools, encouraging exercise and weight loss, and much more.
These data uses promise tremendous research opportunities and societal benefits but at the same time create new risks to privacy, fairness, due process and other civil liberties. Increasingly, researchers and corporate officers find themselves struggling to navigate unsettled social norms and make ethical choices for ways to use this data to achieve appropriate goals. The ethical dilemmas arising from data analysis may transcend privacy and trigger concerns about stigmatization, discrimination, human subject research, algorithmic decision making and filter bubbles.
In many cases, the scoping definitions of the Common Rule are strained by new data-focused research paradigms, which are often product-oriented and based on the analysis of preexisting datasets. For starters, it is not clear whether research of large datasets collected from public or semi-public sources even constitutes human subject research. “Human subject” is defined in the Common Rule as “a living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.” Yet, data driven research often leaves little or no footprint on individual subjects (“intervention or interaction”), such as in the case of automated testing for security flaws.
While obtaining individuals’ informed consent may be feasible in a controlled research setting involving a well-defined group of individuals, such as a clinical trial, it is untenable for researchers experimenting on a database that contains the footprints of millions, or indeed billions, of data subjects. In response to these developments, the Department of Homeland Security commissioned a series of workshops in 2011-2012, leading to the publication of the Menlo Report on Ethical Principles Guiding Information and Communication Technology Research. That report remains anchored in the Belmont Principles, which it interprets to adapt them to the domain of computer science and network engineering, in addition to introducing a fourth principle, respect for law and public interest, to reflect the “expansive and evolving yet often varied and discordant, legal controls relevant for communication privacy and information assurance.”
Ryan Calo foresaw the establishment of “Consumer Subject Review Boards” to address ethical questions about corporate data research. Calo suggested that organizations should “take a page from biomedical and behavioral science” and create small committees with diverse expertise that could operate according to predetermined principles for ethical use of data. No model has a direct correlation to the current challenges, however. The categorical non-appealable decision making of an academic IRB, which is staffed by tenured professors to ensure independence, will be difficult to reproduce in a corporate setting. And corporations face legitimate concerns about sharing trade secrets and intellectual property with external stakeholders who may serve on IRBs.
FPF’s work on this grant will seek to demonstrate the composition and viability of one way to address these challenges.
COPPA Workshop Takeaways
On Monday, the Federal Trade Commission (FTC) held a public workshop focused on potential updates to the Children’s Online Privacy Protection Act (COPPA) rule. The workshop follows a July 25, 2019 notice of rule review and call for public comments regarding COPPA rule reform. The comment period remains open until December 9th. Senior FTC officials expect the process to result in changes to the COPPA rule. The workshop also follows the Commission’s high-profile settlement with YouTube regarding child-directed content.
Monday’s workshop was a key part of the Commission’s review; the day-long session featured panel discussions focused on the various questions raised regarding COPPA’s continued effectiveness as technology evolves. FPF’s Amelia Vance spoke on a panel focused on the intersection of issues related to children’s privacy and student privacy.
During the edtech focused panel, there was a consensus that schools should be able to use the Family Educational Rights and Privacy Act’s (FERPA) school official exception to provide consent on behalf of under-thirteen students under COPPA, rather than collect consent directly from parents. This allows schools to continue to exercise judgment over what technology is used, while also preserving the privacy protections of both COPPA and FERPA. Many speakers expressed that parents feel they have little transparency about the technology being used in their child’s school. The FTC may potentially require increased transparency or notice to assuage these worries.
We also noticed several recurring themes throughout the workshop:
The tension between child-directed content and “child-attractive” or child-appropriate content and what that means under COPPA;
The misconceptions surrounding the meaning of “actual knowledge” and COPPA’s “product improvement” exception; and
A need to focus on frameworks and technology that allow children to safely be online.
The Tension Between “Child-Directed” Content and “Child-Attractive” or Child-Appropriate Content
Several questions were posed regarding the meaning of “child-directed content:”
Does child-directed content also mean child-attractive content—content that may interest children but is aimed at broader audiences, such as an interview with a sports player?
Does child-directed content also include child-appropriate content—content that doesn’t typically interest children, but is not violent, explicit, or objectionable, such as a video teaching viewers how to change the oil in their car?
If child-attractive or child-appropriate content gains a large enough child audience, does it transform into child-directed content?
Panelists cautioned that determining whether content is child-directed by focusing solely on audience makeup could create a moving target for creators; they would constantly have to monitor their audience to ensure they don’t break the “child-directed” threshold. Without clear methods for monitoring when children are accessing general audience content, this tension could not only encourage additional data collection, but it also makes it very difficult to create content for teenagers or “nostalgia-content” for adults. Panelists noted that this tension can transcend beyond content creators to services originally intended for a general audience that unintentionally attracts a child audience.
Harry Jho, a YouTube content creator, raised a concern that COPPA, as applied in the FTC’s YouTube settlement, will stifle creators’ ability to produce quality children’s online content. The settlement requires YouTube and creators to disable behaviorally targeted advertisements on child-directed content. Jho stated that he relies on behavioral advertising for the “lion’s share” of his revenue. Jho claimed that this settlement requirement will cause creators to suffer, and the quality of free children’s content on the internet to decline. Jho also articulated that there is confusion among creators about whether child-attractive or child-appropriate content will be considered “child-directed” under COPPA, resulting in less certainty than ever about whether COPPA applies to particular creators, channels, or videos.
Misconceptions: Actual Knowledge and Product Improvement
There was also significant confusion around the scope of COPPA and its definitions throughout the workshop. We heard many different opinions about the meaning of the actual knowledge standard, and the only point of agreement was that the YouTube settlement has contributed to the confusion. The FTC has said that having actual knowledge that there is child-directed content on your platform triggers COPPA. However, in the YouTube settlement, the FTC cited evidence that showed YouTube had knowledge that children were using the site, as well as pointing to channels that were obviously child-directed. Phyllis Marcus, a partner at Hunton Andrews Kurth, argued that the distinction between actual knowledge of child-directed content on a website versus actual knowledge that children are using a website seems to be collapsing. This shift, coupled with the confusion regarding the definition of “child-directed,” has caused significant uncertainty. Marcus believes that the use of the term “actual knowledge” in various other privacy regimes, such as California’s Consumer Privacy Act, will also create substantial confusion for companies.
While discussing edtech, the question of whether product improvement remains acceptable under COPPA was raised. Ariel Fox Johnson of Common Sense Media argued that product improvement is a commercial purpose under COPPA, full stop, and if schools are paying for a service, they should not also be “paying” with student data. FPF’s Amelia Vance argued that the product improvement exception is necessary to allow essential functions like security patches and authenticating users, so any changes should be carefully tailored.
Keeping Kids on the Internet
A recurring discussion was that some strategies for COPPA compliance have the unintended consequence of keeping kids off the internet. Jo Pedder, Head of Regulatory Strategy at the United Kingdom Information Commissioner’s Office discussed the UK’s implementation of the age-appropriate design code. The code’s goal is to empower kids on the internet while keeping them safe, rather than keeping them out of the digital world. Instead of a one-stop age-gate—largely decried by panelists as an ineffective method of keeping kids safe from age-inappropriate content and data collection—the design code requires entities to understand the age ranges of users and use these “age bands” to, for example, tailor privacy notices or settings.
Similarly, sites with a “mixed audience” under COPPA were heavily discussed, including if age gates can be effective in the space. Dona Fraser of the Children’s Advertising Review Unit pointed out that when kids see an age-gate, they see it as a requirement to lie about their age. Children want to use the internet and they are worried about what they are missing out on. When a mixed audience online service implements a holistic design approach by, for example, establishing a child-appropriate service by default, kids don’t feel like they are missing out on content and don’t have to lie.
Next Steps for the FTC
Several privacy advocates called for the Commission to exercise its 6(b) authority regarding COPPA-covered online services: under Section 6(b) of its enabling Act, the FTC has investigative authority to require reports providing “information about [an] entity’s ‘organization, business, conduct, practices, management, and relation to other corporations, partnerships, and individuals.’ 15 U.S.C. Sec. 46(b).” Panelists who brought up Section 6(b) raised concerns about the lack of insight about what information is being collected by websites and applications, especially in the education technology sector. Panelists also asked the FTC to do studies on the effectiveness of age-gates and whether behaviorally targeted ads actually have a higher market value than contextual advertisements, and even include the voices of the most important stakeholders–children–in the FTC’s analysis. Additionally, it is important to note that several panelists commented that the child privacy conversation needs to evolve beyond notice and consent, and urged the FTC to focus on creating requirements that provide privacy protections to children, while not creating additional notice or consent mechanisms that burden both parents and companies.
Many panelists also urged the FTC to engage in more enforcement actions. One panelist stated that more frequent enforcement actions would have a “tremendous effect” in rooting out bad actors and encouraging COPPA compliance.
For additional reading on the workshop, see these articles:
