The Personal Data Privacy and Security Act (“PDPSA”), recently reintroduced by Sen. Patrick Leahy (D-VT) and referred to the Senate Judiciary Committee proposes comprehensive federal regulation of data broker services. While enactment of the PDPSA remains uncertain, the draft legislation may presage future legislative and regulatory trends.
Comprehensive Federal Regulation of “Data Brokers”
Title II of the PDPSA would introduce significant new regulation for data brokers, which are defined as
“a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purpose of providing such information to nonaffiliated third parties on an interstate basis.”
PDPSA § 3(5). Entities that are already regulated under the Fair Credit Reporting Act (“FCRA”), Gramm-Leach-Bliley Act (“GLBA”), or Health Insurance Portability and Accountability Act (“HIPAA”) are not subject to the data broker requirements of the PDPSA as currently drafted. See PDPSA § 201(b)(1)-(3). Notably, the PDPSA requirements would apply to the use of any form of sensitive personally identifiable information ("SPII"), unlike the FCRA which is limited to information used in consumer reports.
Data Broker Provisions are Substantially Similar to the FCRA
The obligations the draft legislation places on data brokers largely mirror those contained in the FCRA. For example, under the proposed legislation data brokers must make records containing personally identifiable information (“PII”) maintained for disclosure to third parties available to consumers upon request at a reasonable fee. See PDPSA § 201(c). Such disclosures must include instructions for correcting inaccurate information. In addition, the proposed law would obligate users of data broker services to provide notice to individuals when they take any adverse actions based upon data broker records. See PDPSA § 201(d). Adverse action notices would include contact information for the data broker and instructions on the steps needed to correct inaccurate information.
FTC and State Attorneys General Authorized to Pursue Civil Enforcement Actions
The draft legislation authorizes the Federal Trade Commission (“FTC”) and state Attorneys General to bring civil enforcement actions against entities that violate the data broker requirements. See PDPSA § 202. The civil remedies set forth in the bill include equitable relief and monetary penalties of up to $1,000 per violations up to a maximum of $250,000. The FTC also would be able to seek double monetary penalties for violations that demonstrated to be willful or intentional.