The California Consumer Privacy Act (CCPA) has forced companies across the United States (and even globally) to seriously consider how they handle the personal information they collect from consumers. By its terms, however, the CCPA only protects the privacy interests of California residents; other “copy-cat” privacy laws proposed or enacted in other states similarly would only protect the rights of residents of each state. Given the burden on businesses imposed by the rapid proliferation of privacy and data protection laws, including data breach notification obligations, requirements for data transfer mechanisms imposed by international data protection laws (such as the EU General Data Protection Regulation (GDPR)), and the imposition of a variety of data subject rights, a comprehensive US federal privacy bill appears increasingly overdue.
In the past year, US legislators have proposed a wide variety of data privacy laws—none of which seems to have gained significant traction. In November 2019, two new proposals were released in the Senate: the Consumer Online Privacy Rights Act (COPRA), sponsored by Senate Democrats, and the United States Consumer Data Privacy Act of 2019 (CDPA), proposed by Senate Republicans. Both proposals require covered entities to:
- Obtain affirmative express consent from individuals prior to processing sensitive covered data;
- Provide transparent privacy policies;
- Maintain reasonable data security practices;
- Conduct privacy/risk assessments; and
- Provide individuals rights to access, correction, deletion and data portability.
While enforcement under both proposals is brought by the Federal Trade Commission (FTC), COPRA also allows for individual private right of action while the CDPA does not. Another key difference is that the CDPA preempts state data privacy and security laws (except data breach notification laws), whereas COPRA leaves state laws in place to the extent they afford greater protection.
In December 2019, the House Energy & Commerce Committee negotiated a bipartisan discussion draft on federal privacy regulation. The proposed law would establish a new administrative unit within the FTC called the Bureau of Privacy to administer and enforce the law. The discussion draft requires covered entities to:
- Establish a privacy program with designated privacy protection officers;
- Provide individuals the right to access, delete and correct their information;
- Abide by requirements derived from principles of data minimization and use limitation; and
- Implement reasonable security measures.
The discussion draft also sets out registration requirements for “information brokers.” The discussion draft does not address federal preemption or private rights of action, possibly because Republicans and Democrats are divided on these issues.
Other notable federal data privacy law proposals include the following:
- Online Privacy Act: This act was proposed by House Democrats and is a comprehensive privacy bill that provides for individual privacy rights, establishes privacy and security requirements, and establishes a new federal agency—the United States Digital Privacy Agency—to enforce the rights and requirements.
- Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act: This act was proposed by Senate Democrats and would require data harvesters like social medial platforms to inform consumers and financial regulations of the data they are collecting and if the data is being leveraged by the platform for profit.
- American Data Dissemination Act (ADD Act): This act is sponsored by Senate Republicans and seeks to provide a national consumer data privacy law that protects both consumers and the innovative capabilities of the internet economies and places much of the regulatory burden on the FTC.
- Social Media Privacy Protection and Consumer Rights Act of 2019: This bipartisan proposal would grant individuals certain privacy rights, but also allows covered entities to deny certain services if an individual’s request to opt out makes the service inoperable.
- Privacy Bill of Rights Act: This proposal, supported by Senate Democrats, combines GDPR-like terms (including “consent prior to collection of personal information”) with the CCPA’s broad definition of “personal information.”
Many proposals focus on the principles of transparency, use limitation, data minimization and individual consumer rights, but tend to differ on enforcement mechanisms and preemption. 2019 was an active year for privacy legislation, especially on the state level. As privacy issues continue to be a hot topic among individual consumers and policymakers, all eyes will be watching to see whether the United States will finally pass a comprehensive federal privacy law in 2020.