House Energy & Commerce Consumer Protection Subcommittee Chairman Bobby Rush (D-IL) will hold a hearing on THURSDAY JULY 22 @ 2PM EDT on his new privacy bill – HR 5777 BEST PRACTICES Act


H.R. 5777

The Building Effective Strategies To Promote
Responsibility Accountability Choice Transparency
Innovation Consumer Expectations and
Safeguards (“

Section-by-Section Analysis

Section 1 of the bill states the title and includes the table of contents.

Section 2 sets forth definitions under the bill. Section 2(3) defines a “covered entity” as a person engaged in interstate commerce that collects or stores data containing covered information or sensitive information and excludes the government and certain small businesses. Section 2(4) defines “covered information” as certain information about an individual, such as a name, postal address, passport number, or financial account number. The definition excludes certain business and employment information. Section 2(8) defines “sensitive information” as certain information about an individual, such as medical history or financial information, race or ethnicity, biometric information, and Social Security numbers. FTC may modify the definition. Section 2(10) defines a “third party” based on the reasonable expectation of the consumer and requires FTC to clarify or modify the definition.

Section 101 requires a covered entity to make information about the covered entity’s privacy practices available to individuals, including a description of the information collected and the specific purposes for which the information was collected.

Section 102 requires a covered entity to provide individuals with concise, meaningful, timely, prominent, and easy-to-understand notice or notices. Section 102 directs FTC to promulgate rules to determine the means and timing of notices while taking into account the different media, devices, or methods through which a covered entity collects information. FTC can allow for or require shorter notices and may issue model notices.

Section 103 requires a covered entity to provide an individual with the ability to opt out of the collection and use of covered information. A covered entity may require, as a condition of receipt of a service or benefit, the collection and use of covered information about the individual, subject to a series of limitations. Opt-out consent is not required for the collection and use of covered information for certain operational purposes.

Section 104 requires a covered entity to obtain express affirmative consent before: disclosing covered information to third parties; collecting, using, or disclosing sensitive information; or engaging in comprehensive online data collection through hardware or software such as deep packet inspection.

Section 105 requires a covered entity to obtain express affirmative consent for the retroactive application of a privacy policy to previously collected information and to offer notice for prospective changes and opt-out consent for certain prospective changes.

Section 106 establishes that a covered entity is exempt from complying with sections 103 and 104 for the disclosure of covered information to service providers or for the collection or disclosure of publicly available information.

Section 201 requires a covered entity to establish procedures to ensure the accuracy of covered information and sensitive information, with exceptions for fraud databases and publicly available information.

Section 202 requires a covered entity to provide consumers with reasonable access to, and the ability to correct or amend, certain information held about that individual.

Section 301 requires a covered entity to have safeguards to secure information.

Section 302 requires a covered entity to conduct a privacy risk assessment for certain commercial projects and conduct periodic assessments of its information practices.

Section 303 mandates that a covered entity shall only retain covered information or sensitive information as long as necessary to fulfill a legitimate business purpose or comply with a legal requirement.

Sections 401-404 set out the requirements of a Safe Harbor Self-Regulatory Choice Program (Choice Program), establish that a covered entity that participates in Choice Program is not subject to certain sections, and require FTC to approve or decline to approve a Choice Program.

Section 501 authorizes a covered entity to collect or disclose aggregate information or de-identified information. A covered entity must take steps to protect that information. It is unlawful to re-identify or reconstruct such information, subject to FTC regulations.

Section 502 mandates that the Act shall have no effect on activities covered by other federal privacy laws.

Sections 601-605 grant enforcement authority to FTC and establish that a violation of titles I, II, or III of the bill is as an “unfair or deceptive act or practice” as established by regulation promulgated by FTC under Section 18 of the FTC Act. These sections grant enforcement authority to state attorneys general, subject to notification to and optional intervention by FTC, establish civil penalties for such violations, and authorize a limited private right of action.

Section 605 is a preemption provision of State laws that expressly require a covered entity to implement requirements with respect to the collection, use, or disclosure of covered information. The preemption provision does not apply to: laws that address health information or financial information; data breach laws; trespass, contract, or tort laws; and other laws that relate to acts of fraud.

Section 701 requires FTC to review the implementation of the Act and submit a report to Congress within 5 years of the Act’s enactment on its findings.

Section 702 requires FTC to conduct a consumer and business education campaign.

Section 703 establishes the effective date as 2 years after enactment.



Comments are closed.