Tech & Sourcing @ Morgan Lewis


Senators Edward Markey and Richard Blumenthal introduced a new privacy rights bill on April 10 titled “Customer Online Notification for Stopping Edge-provider Network Transgressions” (CONSENT Act). The CONSENT Act’s obligations would apply to entities known as edge providers who provide services through a software program (including a mobile application) or over the internet (1) that require its customers to subscribe to or maintain an account to obtain services; (2) that require a customer to purchase services; (3) through which a customer performs searches; or (4) through which a customer provides sensitive customer proprietary information.

The CONSENT Act would require the Federal Trade Commission (FTC) to promulgate regulations to protect the privacy of customers of edge providers within one year of passage of the CONSENT Act that would take effect within 180 days of such promulgation. Specifically, the CONSENT Act stipulates that such FTC regulations must

  1. require edge providers to notify a customer of the collection, use, and sharing of his or her sensitive customer proprietary information (e.g., financial, health, precise geolocation, and call detail information, information pertaining to children, Social Security numbers, content of communications, and web browsing history) when the customer initially subscribes, establishes an account for, purchases, or begins receiving the edge service and again if the collection, use, or sharing significantly changes;
  2. require edge providers to obtain opt-in consent—that is, affirmative, express consent after explicit notification—from a customer prior to using, sharing, or selling sensitive customer proprietary information;
  3. contain protections for de-identified sensitive customer proprietary information to prevent the restoration of personally identifiable information (i.e., information that can be linked or reasonably linked to an individual or device);
  4. on a case-by-case basis, consider the reasonableness of an edge provider’s policy where a customer’s privacy protection selections have an effect on the cost of the edge provider’s service for that customer;
  5. require edge providers to disclose incentives based on a customer providing consent to the use or sharing of his or her sensitive customer proprietary information;
  6. ban edge providers from implementing take-it-or-leave-it policies—i.e., refusing service to customers who do not consent to the use or sharing of their customer proprietary information for commercial purposes; and
  7. require edge providers to develop reasonable data security practices, including certain data breach notification procedures.

The CONSENT Act specifies that a violation of the CONSENT Act or the FTC regulations carrying out the CONSENT Act, would be an unfair or deceptive act or practice under the Federal Trade Commission Act. Other enforcement mechanisms are included in the CONSENT Act as well.

Because the CONSENT Act, if passed and signed into law, would implement new, stricter requirements surrounding the collection and use of certain customer data by edge providers, it will be important to follow the progress of this legislation, along with several other data privacy bills that have been introduced in both the House of Representatives and Senate. The adoption of the CONSENT Act would be a marked departure of the current trend of deregulation from the Federal Communications Commission and Congress that we have seen for broadband internet access service (BIAS) providers, from the blocking of the Obama administration’s broadband privacy rules to the repeal of net neutrality.