Federal Privacy Legislation Update: Consumer Data Privacy and Security Act of 2020
Saturday, March 14, 2020
privacy protection an consumer data
Print Mail Download i

On March 13, 2020, Senator Jerry Moran (R-Kansas), Chairman of the Senate Commerce Subcommittee on Consumer Protection, introduced the “Consumer Data Privacy and Security Act of 2020” (the “CDPSA”). The CDPSA joins several other proposed pieces of federal legislation in vying to create an overarching, federal data-privacy framework. Generally, the CDPSA is consistent with the current data-privacy legal frameworks and integrates themes from the CCPA and GDPR and also learned from some of their shortfalls (e.g., the CDPSA excludes employee data from the definition of personal data). On the spectrum of business-friendliness, the CDPSA is more favorable to small and midsize businesses rather than the CCPA and GDPR for several reasons, some of which are discussed below. Perhaps the most significant being the favorable thresholds established by the CDPSA for qualification as a “small business” and the absence of a private right of action. The CDPSA provides for similar individual rights and protections as the CCPA and GDPR but attempts to reduce the burden on small and midsize businesses by exempting “small businesses” from certain compliance obligations (e.g., small businesses are not required to comply with an individual’s rights to access, accuracy, or correction). 

The following are our Top 10 highlights of the CDPSA:

1. Small Business. The definition of “Small Business” is favorable to small and midsize businesses because the qualification thresholds are higher than the CCPA: $25 Million, no year requirement); processes personal data of

2. No private right of Action. FTC or State Attorneys General may bring civil enforcement actions under the CDPSA to: (1) enjoin the violative practice, (2) enforce compliance with the CDPSA or regulations, or (3) impose a civil penalty (in addition to any injunctive relief) for actual-knowledge violations of the CDPSA or regulations. The civil penalty shall be the number of individuals affected by a violation multiplied by an amount not to exceed $42,530. The CDPSA establishes several factors to be considered in determining the amount of the civil penalty.

3. Express preemption of state law. The CDPSA expressly preempts state and local laws related to the privacy or security of personal data. However, the following state and local laws shall not be preempted to the extent such laws do not conflict with the CDPSA: (1) data breach notification laws, (2) criminal or civil procedure, (3) general standards of fraud or public safety, (4) laws that address the privacy of any group of students as defined in FERPA, (5) employment laws, including laws governing employment-related data; or (6) laws protecting the right of individuals to be free of discrimination based on race, sex, national origin, or other suspect classification identified under state law.

4. Express preemption of federal law (sort of). The CDPSA expressly preempts federal statutes and regulations related to the privacy or security of personal data. However, the following federal laws are exempt: (1) The Children’s Online Privacy Protection Act (“COPPA”), (2) Communications Assistance for Law Enforcement Act, (3) Section 227 of the Communications Act of 1934, (4) Title V of the Gramm-Leach-Bliley Act (“GLBA”), (5) The Fair Credit Reporting Act, (6) The Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”), (7) The Family Educational Rights and Privacy Act (“FERPA”), (8) Electronic Communications Privacy Act, (9) The Driver’s Privacy Protection Act of 1994, and (1) the Federal Aviation Act of 1958. A covered entity required to comply, and in compliance, with the aforementioned federal laws is deemed compliant with the CDPSA.

5. Federal Trade Commission. The CDPSA designates the FTC as the federal agency in charge of administering the CDPSA and grants its rule making authority and provides a mechanism for additional personnel and resources to assist with administering the CDPSA. 

 

6. Exceptions for small businesses. Covered entities that qualify as small businesses are exempt from complying with an individual’s right to access and rights to accuracy and correction. The CDPSA includes an exception for service providers that qualify as small businesses that considers and takes into account, the technical feasibility of any requirements imposed on such small business, service provider in determining any penalty for violations of the CDPSA.

 

7. Consent. The CDPSA establishes two standards of consent: (1) implicit consent, where an individual is deemed to have provided consent to collection or processing of personal data if she did not decline the request after provided with notice and a reasonable amount of time has passed, and (2) express affirmative consent, where collection or processing involves sensitive personal data or the disclosure of personal data to a third party is not for the covered entity’s permissible purpose. To be valid, express affirmative consent must be: (1) clearly, prominently, and unmistakably stated, (2) in response to a notice and request to collect or process personal data, and (3) cannot be inferred from inaction.

8. Privacy Policies and Notice. Consistent with current privacy laws, the CDPSA requires covered entities to make their privacy policies publicly available in clear and prominent locations and written in “easy-to-understand” language. However, the CDPSA includes two unique requirements: a covered entity must (1) make publicly available any previous versions of its privacy policy, and (2) provide direct notice of any material changes to its privacy policy. The CDPSA neither specifies the time period or the number of versions of a covered entity’s privacy policy to be made publicly available nor defines what constitutes a “material” change of a privacy policy. 

9. Processing of Personal Data. The CDPSA establishes two ways a covered entity (and its service providers) may collect or process personal data: (1) the individual provides consent, or (2) such collection or processing is done for a Permissible Purpose. A third party may collect or process personal information without directly obtaining an individual’s consent if: (1) the covered entity disclosing such personal data: (a) provided the individual with notice and specific purpose of the third-party collection or processing and (b) the individual consented to the collection or processing; or (2) the third-party collection or processing is done for the third party’s limited permissible purpose.

10. Permissible Purpose. Covered entities and service providers may collect or process personal data without an individual’s consent to the extent reasonably necessary and limited to a defined Permissible Purpose. Compared to the GDPR’s lawful bases, the CDPSA’s enumerated Permissible Purposes seem broader and more practical. The CDPSA establishes the following Permissible Purposes: (1) provision of service or performance of a contract; (2) compliance with laws; (3) to prevent immediate danger to the personal safety of any individual (including to effectuate a product recall); (4) to prevent fraud and protect the security of the covered entity’s, service providers’, or individual’s rights, property, services, or information systems; (5) research performed by the covered entity or service provider (at the direction of the covered entity); and (6) the covered entity’s or service provider’s operational purposes. Operation purposes include internal operations (e.g., billing, website maintenance, financial reporting); short-term, transient use; marketing or advertising; to improve products and services; and any additional specific purposes defined by the FTC.

While Congress has yet to choose which proposed federal privacy legislation, if any, should move forward, it is clear that the drafters of the CDPSA are in touch with the key trends in the privacy industry, including the grant of robust privacy rights to consumers and imposing substantial penalties for entities violating such rights and learning from the shortfalls of the current framework of privacy laws. Overall, the CDPSA attempts to strike a balance between the protections afforded to consumers by the GDPR and CCPA and costs of compliance for small to medium- sized businesses. We will continue to track the CDPSA as it makes its way through the legislative process. 

 

© Polsinelli PC, Polsinelli LLP in California

Current Legal Analysis

More from Polsinelli PC

Vote Scheduled for FTC Final Rule Banning Non-Competes – What You Need to Know
by: Eric E. Packel , Sean R. Gallagher
FDA Preemption of State Law for False Labeling Survives Appeal to Supreme Court
by: Gina L. Tincher , Stacy A. Carpenter
What to Know About New York’s New Supplement Law Going into Effect this Month
by: Stuart M. Pape , Suzanne E. Bassett
The EEOC Issues its Final Rule about the Pregnant Workers Fairness Act
by: Shivani P. Bailey
Easement Fund Victory on Perpetuity Will Result in More Attention on Valuation
by: Lauren P. DeSantis-Then , William J. Sanders
Blockchain+ Bi-Weekly: Week of April 15, 2024
by: Jonathan E. Schmalfeld , Stephen A. Rutenberg
The European Union Has Assigned Your AI Some Homework
by: Aaron M. Levine , Catherine (Cat) Kozlowski
U.S. Federal Privacy Bill Unveiled
by: Allison G. Dressel , Lisa J. Acevedo
Spring Cleaning for your Nonprofit: Dusting Off Your Articles, Bylaws, and Form 1023
by: Lisa M. Schultes , Jacob Zerkle
Examining Community Benefit: The IRS' Shifting Standards for Tax-Exempt Hospitals
by: Michael Kuczynski , Lisa M. Schultes

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins