Congressional Privacy Action – Part 1: The Senate
As 2020 gets underway, Congress will continue to deliberate on federal privacy legislation in the second session of the 116th Congress. The California Consumer Privacy Protection Act (CCPA) went into effect on January 1, and the state will begin enforcing the law on July 1. State Attorney General Xavier Becerra (D) is expected to release final regulations implementing CCPA within six months (although business certainly hopes sooner….). The new law, as well as other potential privacy laws that other state legislatures are considering, serves as a key backdrop on policy issues that Congress must address in any bipartisan bill.
Senate Bills. In the Senate, the Chairman and Ranking Member of the Senate Commerce, Science, and Transportation Committee each released draft privacy bills in late November. Senator Roger Wicker (R-MS) released a staff draft of the Chairman’s version, the United States Consumer Data Privacy Act of 2019 (USCDPA) on November 27, a day after Ranking Member Maria Cantwell (D-WA), along with Senators Brian Schatz (D-HI), Amy Klobuchar (D-MN) and Edward Markey (D-MA) formally introduced their version, the Consumer Online Privacy Rights Act (COPRA).
The bills were the subject of a December 4 legislative hearing in front of the Commerce Committee titled “Examining Legislative Proposals to Protect Consumer Data Privacy.” Negotiations between Senators Wicker and Cantwell (and their staff) are reportedly ongoing, and both sides are still expressing hope for a bipartisan compromise.
Areas of Commonality
The two Senate bills share many commonalities. For instance, they both require covered entities that collect and process information to provide privacy policies informing consumers of the information they collect, how they use that information, and to whom they share or sell the information. Both USCDPA and COPRA require such entities to provide consumers with a mechanism to restrict the processing or transfer of “covered data” and establish different types of mechanism for consumers to exercise their right of control. Of note, neither bill makes an exception for first-party use of data for marketing purposes. Both bills have data minimization and retention provisions; they require service providers to handle data in accordance with the Act and third parties to largely comply with first party protections and obligations. And both bills provide consumers with rights similar to those established by the European Union’s (EU) General Data Protection Regulations (GDPR), namely the rights of access, deletion, correction, and portability. Both bills empower the Federal Trade Commission (FTC) to implement and enforce the bill and subject violations of the law to civil penalties.
However, the scope and applicability of those relatively common provisions differ between the two bills. Senator Wicker’s bill is narrower in scope and tends to provide covered entities with more flexibility in compliance. The Senate Democratic proposal is broader in scope, applying to more types of information, and is more proscriptive with regard to corporate obligations. For instance, COPRA treats as “sensitive” all web browsing data, while USCDPA only applies that moniker to browsing data related to other sensitive categories of information delineated in the bill. (Both bills cover online and offline data.) There are important differences between the two bills in the details of the access, deletion, correction and portability provisions. And while both bills allow covered entities subject to existing, sector-specific federal privacy laws – e.g., the Gramm-Leach-Bliley Act (GLB Act) and the Health Information Protection and Portability Act (HIPAA) – to comply with those laws as a legal proxy for compliance with the Act, COPRA (unlike USCDPA) subjects communications services providers to both its provisions and the privacy provisions of the Communications Act. Furthermore, COPRA provides the Federal Trade Commission (FTC) with general rulemaking authority under the Administrative Procedures Act (APA) to implement the provisions of the bill, while USCDPA provides the FTC with select APA rulemaking authority to carry out specific provisions in the bill, while also directing the Commission to provide non-binding guidance with respect to other provisions.
The two bills also significantly differ in key policy areas. Most notably, they take polar opposite approaches on the preemption of state law and issues of liability. Senator Wicker’s bill explicitly preempts any state “law, regulation, rule, requirement, or standard related to the data privacy or security and associated activities of covered entities.” In contrast, the Senate Democratic bill establishes a floor preemption, allowing states to pass laws that are stricter than the federal provisions, and it further explicitly states that it does not preempt certain state laws, including common law and statutory causes of action, such as the private right of action for data breaches established by CCPA. In addition, COPRA prohibits the use of arbitration provisions in contracts or agreements to resolve data privacy or security disputes. Lastly, COPRA establishes a federal private right of action for any violation of the Act; such a provision is absent in Senator Wicker’s bill. COPRA also declares that any violation of the Act – even procedural or technical violations that do not necessarily cause physical, economic or reputational harm – constitutes an injury to consumers.
The two bills differ in other significant ways. For example, COPRA imposes a “Duty of Loyalty” on covered entities, reflecting a “data fiduciary” concept that Senator Schatz has codified in S. 2961, the Data Care Act, which he introduced with 15 other Democratic Senators. This duty prohibits covered entities from engaging in deceptive or harmful data practices, including practices that intrude in a manner that “would be offensive to a reasonable person.” COPRA also requires an executive certification of compliance with the law, while USCDPA does not have a similar requirement – both bills, though, require covered entities to designate a privacy and/or security officer responsible for compliance with the law. COPRA requires covered entities to assess the impact of algorithmic decision making, including whether the algorithms and data sets unlawfully discriminate or are biased. While Senator Wicker’s bill does not have a similar mandate, it directs the FTC to study the matter and work with authorized Federal agencies in preventing uses of covered data that violate existing anti-discrimination laws. Lastly, COPRA establishes a new Bureau of Privacy within the FTC to implement and enforce the provisions of the bill. Currently, the Commission’s regulatory and enforcement actions are largely conducted by the Division of Privacy and Identity Protection, a division within the Bureau of Consumer Protection. USCDPA leaves this current organization structure in place.
Tomorrow, we’ll take a look at the House bill.