February 17, 2020

February 17, 2020

Subscribe to Latest Legal News and Analysis

Congressional Privacy Action – Part 1: The Senate

As 2020 gets underway, Congress will continue to deliberate on federal privacy legislation in the second session of the 116th Congress.  The California Consumer Privacy Protection Act (CCPA) went into effect on January 1, and the state will begin enforcing the law on July 1.  State Attorney General Xavier Becerra (D) is expected to release final regulations implementing CCPA within six months (although business certainly hopes sooner….).  The new law, as well as other potential privacy laws that other state legislatures are considering, serves as a key backdrop on policy issues that Congress must address in any bipartisan bill.   

Senate Bills.  In the Senate, the Chairman and Ranking Member of the Senate Commerce, Science, and Transportation Committee each released draft privacy bills in late November.  Senator Roger Wicker (R-MS) released a staff draft of the Chairman’s version, the United States Consumer Data Privacy Act of 2019 (USCDPA) on November 27, a day after Ranking Member Maria Cantwell (D-WA), along with Senators Brian Schatz (D-HI), Amy Klobuchar (D-MN) and Edward Markey (D-MA) formally introduced their version, the Consumer Online Privacy Rights Act (COPRA).  

The bills were the subject of a December 4 legislative hearing in front of the Commerce Committee titled “Examining Legislative Proposals to Protect Consumer Data Privacy.”  Negotiations between Senators Wicker and Cantwell (and their staff) are reportedly ongoing, and both sides are still expressing hope for a bipartisan compromise.

Areas of Commonality

The two Senate bills share many commonalities.  For instance, they both require covered entities that collect and process information to provide privacy policies informing consumers of the information they collect, how they use that information, and to whom they share or sell the information.  Both USCDPA and COPRA require such entities to provide consumers with a mechanism to restrict the processing or transfer of “covered data” and establish different types of mechanism for consumers to exercise their right of control.  Of note, neither bill makes an exception for first-party use of data for marketing purposes.  Both bills have data minimization and retention provisions; they require service providers to handle data in accordance with the Act and third parties to largely comply with first party protections and obligations.  And both bills provide consumers with rights similar to those established by the European Union’s (EU) General Data Protection Regulations (GDPR), namely the rights of access, deletion, correction, and portability.  Both bills empower the Federal Trade Commission (FTC) to implement and enforce the bill and subject violations of the law to civil penalties.

Key Differences

However, the scope and applicability of those relatively common provisions differ between the two bills.  Senator Wicker’s bill is narrower in scope and tends to provide covered entities with more flexibility in compliance.  The Senate Democratic proposal is broader in scope, applying to more types of information, and is more proscriptive with regard to corporate obligations.  For instance, COPRA treats as “sensitive” all web browsing data, while USCDPA only applies that moniker to browsing data related to other sensitive categories of information delineated in the bill.  (Both bills cover online and offline data.)  There are important differences between the two bills in the details of the access, deletion, correction and portability provisions.  And while both bills allow covered entities subject to existing, sector-specific federal privacy laws – e.g., the Gramm-Leach-Bliley Act (GLB Act) and the Health Information Protection and Portability Act (HIPAA) – to comply with those laws as a legal proxy for compliance with the Act, COPRA (unlike USCDPA) subjects communications services providers to both its provisions and the privacy provisions of the Communications Act.   Furthermore, COPRA provides the Federal Trade Commission (FTC) with general rulemaking authority under the Administrative Procedures Act (APA) to implement the provisions of the bill, while USCDPA provides the FTC with select APA rulemaking authority to carry out specific provisions in the bill, while also directing the Commission to provide non-binding guidance with respect to other provisions.

The two bills also significantly differ in key policy areas.  Most notably, they take polar opposite approaches on the preemption of state law and issues of liability.  Senator Wicker’s bill explicitly preempts any state “law, regulation, rule, requirement, or standard related to the data privacy or security and associated activities of covered entities.”  In contrast, the Senate Democratic bill establishes a floor preemption, allowing states to pass laws that are stricter than the federal provisions, and it further explicitly states that it does not preempt certain state laws, including common law and statutory causes of action, such as the private right of action for data breaches established by CCPA.  In addition, COPRA prohibits the use of arbitration provisions in contracts or agreements to resolve data privacy or security disputes.  Lastly, COPRA establishes a federal private right of action for any violation of the Act; such a provision is absent in Senator Wicker’s bill.  COPRA also declares that any violation of the Act – even procedural or technical violations that do not necessarily cause physical, economic or reputational harm – constitutes an injury to consumers.

The two bills differ in other significant ways.  For example, COPRA imposes a “Duty of Loyalty” on covered entities, reflecting a “data fiduciary” concept that Senator Schatz has codified in S. 2961, the Data Care Act, which he introduced with 15 other Democratic Senators.  This duty prohibits covered entities from engaging in deceptive or harmful data practices, including practices that intrude in a manner that “would be offensive to a reasonable person.”  COPRA also requires an executive certification of compliance with the law, while USCDPA does not have a similar requirement – both bills, though, require covered entities to designate a privacy and/or security officer responsible for compliance with the law.  COPRA requires covered entities to assess the impact of algorithmic decision making, including whether the algorithms and data sets unlawfully discriminate or are biased.  While Senator Wicker’s bill does not have a similar mandate, it directs the FTC to study the matter and work with authorized Federal agencies in preventing uses of covered data that violate existing anti-discrimination laws.  Lastly, COPRA establishes a new Bureau of Privacy within the FTC to implement and enforce the provisions of the bill.  Currently, the Commission’s regulatory and enforcement actions are largely conducted by the Division of Privacy and Identity Protection, a division within the Bureau of Consumer Protection.  USCDPA leaves this current organization structure in place.

Tomorrow, we’ll take a look at the House bill.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Christian T. Fjeld Vice President Mintz Strategies Lobbying & Public Policy
Vice President

Christian is based in our Washington, DC office and is a Vice President of ML Strategies. He assists a variety of clients in their interactions with the federal government.

Prior to joining ML Strategies, Christian spent nearly 10 years in staff leadership roles with the US Senate’s Committee on Commerce, Science, and Transportation serving Senator John D. Rockefeller IV (D-WV) as the former Chairman, Senator Bill Nelson (D-FL) as the former Ranking Member, and Senator Maria Cantwell (D-WA), the current Ranking Member of the committee. During most of his tenure, he was either a...

1-202-434-7433
Chris Harvie, Communication Attorney, FCC, Mintz Levin, Communications Privacy & Cybersecurity FCC Regulation Legislative Strategy Cable & Telecom Transactions Franchising & Rights-of-Way Issues
Member

Chris devotes his practice to assisting cable operators, broadband companies, and content providers with a broad range of legal, policy and legislative matters. He represents clients before federal and state agencies, on Capitol Hill, and in court on a variety of communications law issues. Chris’s areas of specialty include privacy, cybersecurity, surveillance law, broadband policy, franchising and access to local rights-of-way, and policy and legislative issues affecting the Internet of Things. As a former committee counsel to the chair of the US Senate Judiciary Committee’s Antitrust, Monopolies, and Business Rights subcommittee, Chris focused on media and telecommunications, intellectual property, and First Amendment issues.

Chris focuses chiefly on legal, policy, and legislative issues affecting cable and telecommunications companies. He has represented clients in proceedings before the Federal Communications Commission, Congress, federal and state courts, and state and local regulatory bodies.

He assists clients on a broad range of cable television legal and policy matters, including cable franchising and regulation, privacy, programming agreements, content licensing and copyright, rate regulation, set-top box issues, inside wiring, and broadband network policy.

202.434.7377
Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732