New Federal Privacy and Data Protection Legislation Introduced
Currently there is no federal privacy and data protection law in the United States, only a patchwork of industry-specific laws. Laws have been introduced at the state level, such as the California Consumer Protection Act (CCPA) and the New York Shield Act, but privacy protections can vary considerably from state to state.
There have been several attempts to introduce national privacy and data protection laws covering all industry sectors. Some of the proposed bills aim to replace state laws, while others have attempted to introduce national standards and retain state laws, which would apply if they provided greater protections than the federal law. While support for a federal privacy law is growing, none of the proposed bills have succeeded thus far.
Recently there have been two further attempts to introduce privacy protections at the national level. U.S. Sen. Maria Cantwell (D-Washington) introduced the Consumer Online Privacy Rights Act (COPRA), which aims to introduce privacy and data protection regulations similar to those of CCPA.
COPRA applies to a wide range of entities, including businesses, nonprofits, certain financial institutions, and entities covered by the Federal Trade Commission Act, but small businesses are largely exempt. The law would apply to businesses with an annual turnover of $25 million or more and to any business that generates 50% or more of its income from transferring or selling consumer data.
Similar to the EU General Data Protection Regulation, the bill will require affirmative consent to be provided by consumers before their personal data can be collected, processed, or used. The law prohibits deceptive data practices, and covered entities would be required to publish a privacy policy that clearly states how consumer data will be used, the data retention period, and the covered entity’s data security policy.
Consumers would be given the right to obtain a copy of their data and would also have the right to opt out of data sharing and have their personal data deleted. The law would be enforced by the Federal Trade Commission.
Maria Cantwell’s bill is not intended to replace state laws, only introduce minimum standards and give all U.S. citizens new rights over their personal data. CCPA and the New York SHIELD Act would still apply, as they provide even greater protections for consumers.
A draft copy of another bill has now been released by Senator Roger Wicker (R-Miss), Chair of the Commerce Committee. This rival bill is called the United States Consumer Data Privacy Act of 2019 (CDAP). In some respects, CDAP goes further than CCPA as it provides greater detail on requirements for businesses and applies to a much broader range of companies.
CDAP requires companies to publish a privacy policy which details how they will collect data, why that data is being collected, how long the data will be stored, and it must also include the company’s security practices.
CDAP would also require affirmative consent to be obtained from consumers before any data could be used for reasons other than those stated in the privacy policy and before any data could be sold.
There are also data minimalization requirements, where covered entities will only be permitted to collect data to achieve the purpose for which data is being collected. Companies would also be required to adopt security best practices.
Consumers would be allowed to obtain a copy of their personal data, and requests would need to be processed within 45 days. A consumer would be permitted to request data up to two times a year, free of charge. Sen. Wicker says that the new law would be “better, stronger, and clearer” than CCPA.
CDAP is intended to replace state laws, not compliment them. It does not include a private cause of action, so Consumers would not be permitted to sue for violations of the Act. As with Sen. Cantwell’s bill, the Federal Trade Commission would be responsible for enforcement.
On December 4, 2019, both bills were discussed in a Senate Commerce Committee hearing but agreement could not be reached by Republicans and Democrats on the content of the bill, only that bipartisan legislation would be required in order for the privacy and data protection measures to become law. Two notable sticking points were whether there should be a private cause of action and if the federal law should preempt state laws.