On June 24th, Senators Mark Warner (D-VA) and Josh Hawley (R-MO) introduced a bill that would require large technology companies to regularly disclose to their users and the Securities and Exchange Commission (SEC) the value of the user data they collect and monetize. The bipartisan bill, cited as the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act, is intended to capture major online platforms such as Amazon, Facebook, Google and Twitter that offer “free” services to users while monetizing user data through targeted advertising.
Who Would Be Subject to the Law
- Specifically, the proposal applies to “commercial data operators,” defined as consumer online services providers or data brokers that:
- Generate a material amount of revenue from the use, collection, processing, sale or sharing of user data; and
- Have more than 100 million unique monthly users in the United States for a majority of the months in the previous one-year period.
New Obligations for In-Scope Operators
- Frequent Disclosures to Users (every 90 days)
- In-scope operators must make the following disclosures to users on a routine basis (not less frequently than every 90 days):
- Economic value assessment – an assessment of the economic value the operator places on the user’s data.
- Information – information about the types of data collected from the users, whether by the operator or by a third party under a contract with the operator, and the ways in which the data is used (if such use is not directly or exclusively related to the online service provided to the user).
- User’s Right to Delete Data
- In-scope operators must provide users with a mechanism by which users can delete all, or individual fields, of the data that the operator possesses or controls with respect to the user. The deletion requirement is subject to certain exceptions, including legal obligations of the operator, the existence of legal claims, and detection and prevention of security incidents or illegal activity.
- Disclosures to the SEC
- In-scope issuers must disclose in their annual or quarterly SEC reports the total value of all the data they hold and any contracts with third parties for the collection of user data through their online service.
- Within one year of the law’s enactment, in-scope issuers would be required to provide additional disclosures, including, among other things: measures in place to protect the user data; an assessment of the risks associated with storing the data; each discrete revenue-generating operation that relies on user data; the entry into any contract valued at more than $10 million related to collection or sharing of user data; and the amount of revenue derived during the reporting period from collecting, processing, selling, using or sharing user data.
- In-scope operators must make the following disclosures to users on a routine basis (not less frequently than every 90 days):
Valuation of User Data
- The bill directs the SEC, in consultation with standards setting organizations, to develop methodologies for calculating the value of user data. It notes that distinct methods may be needed to calculate the value of data for different uses, sectors and business models.
Potential Impact
- Users have generally been encouraged to view online platforms as “free” services, but the DASHBOARD Act may change this. The bill attempts to increase transparency and put a dollar figure on what a user’s participation in the service is worth to the service provider. With this information, users will be able to decide whether, in fact, they are “paying” too much for access. The bill does not attempt to redistribute any of this value. Users will not receive remuneration for data, but they will be informed that this value exists and potentially be able to make more informed decisions as a result.
- While the bill’s prospects are unclear, it comes in the midst of several overlapping dynamics facing by the tech industry: a push for a federal privacy law, a developing view in the U.S. of personal data as a discrete asset and increasing scrutiny of the large technology companies by antitrust regulators.
- Push for a Federal Privacy Law. In the wake of the full implementation of the EU General Data Protection Regulation (GDPR) and the enactment of the California Consumer Privacy Act of 2018 (CCPA) (which will go into effect January 1, 2020), U.S. lawmakers have been actively discussing a comprehensive federal data privacy law. While it remains to be seen whether any bill can garner the necessary consensus to get through Congress, consumer groups are pushing for any federal bill to include transparency and control features such as the requirements in this bill to provide consumers with information about what data has been collected about them and a right to request that their data be deleted. Such features are also found in the GDPR and CCPA, as well as in Brazil’s new privacy law. Enforcement of the DASHBOARD Act would fall within the jurisdiction of the Federal Trade Commission (FTC) under Section 5 of the FTC Act, under which the FTC investigates “unfair or deceptive acts or practices in or affecting commerce.” In addition, the FTC would be responsible for issuing regulations under the act, a feature consistent with the FTC’s desire for targeted rulemaking authority under any federal privacy legislation. However, the bill does not contain certain additional consumer protection authority the FTC has been lobbying for, such as the authority to impose civil penalties.
- Personal Data as an Asset. The bill’s requirement to disclose the value of data is consistent with a developing view in the United States of personal data as a discrete asset that consumers may sell (or choose not to sell). This complements certain provisions in the CCPA, such as the provision permitting consumers to opt out from the sale of their data and the provision giving them the right to equal treatment. Under the latter, while covered businesses are prohibited from discriminating against consumers who exercise rights under the CCPA (e.g., the business cannot deny them goods or services or charge them a different price), certain discrimination is permitted – i.e., the CCPA explicitly allows businesses to charge consumers a different price or rate, or provide them with a different level or quality for goods or services, if such difference is reasonably related to the value of the consumer’s data. Knowing the value of one’s data permits a more intelligent determination of whether discrimination is fair.
- Antitrust Scrutiny. From an antitrust standpoint, the bill’s sponsors have indicated that the required transparency about the value of the user data could encourage competition and make it easier for agencies such as the Federal Trade Commission to identify anticompetitive practices. The two senators have been outspoken advocates of regulating big tech companies, and recently collaborated on a “Do Not Track” bill, which would allow users of online services to opt out of any non-essential online data tracking (that is not necessary for the service to properly work).