We’ve seen a shift in attitudes regarding the prospects of a federal privacy bill. The Business Roundtable supports a federal privacy bill and the U.S. Chamber of Commerce has recognized that federal inaction has led states to fill the gaps.
With privacy bills being debated in many states, there is a risk that 50 different “comprehensive” and conflicting privacy regimes could make conducting business on a nationwide basis extremely challenging. The solution would be a comprehensive federal bill that preempts state law.
Perhaps that’s why at the end of 2019, three federal privacy bills were circulated in Congress. Sen. Maria Cantwell (D-Wash.), along with other Democratic senators introduced the Consumer Online Privacy Rights Act of 2019 (COPRA). Sen. Roger Wicker (R-Miss.) introduced the “Staff Discussion Draft” of the United States Consumer Data Privacy Act of 2019 (CDPA), and the House Energy and Commerce Committee, staff released a billfor discussion.
The three bills have more similarities than differences. That is a positive sign for potential federal legislation.
Definition of ‘Covered Data’
All three proposals have a similar definition of “covered data.” This includes information that identifies, is linked, or reasonably linkable to an individual or a device that is linked or reasonably linkable to an individual. Each bill also excludes data that is de-identified, employee data, and publicly available information.
These commonalities signal a potential floor for covered data. However, COPRA includes additional categories of information such as information derived from covered data, and does not exclude aggregated data.
Although the CDPA and the House bill have broader applicability than COPRA, each bill would apply to entities subject to Federal Trade Commission regulation. The House bill would exempt smaller businesses from certain obligations, which while offering flexibility, may lead to confusion, requiring businesses’ compliance efforts to fluctuate based on annual performance.
Opt-in Versus Opt-Out
One of the hottest debates in privacy are opt-out versus opt-in regimes—opt-in meaning the processing of personal information that requires affirmative consent; opt-out meaning the default is that personal information can be processed absent a request to limit use. All three bills have aspects of opt-in and opt-out approaches. Each bill also has and a number of inferred exceptions to the requirements for opt-in consent.
Each bill provides consumers with the same basic rights: to know, to access, portability, to correct, and to delete. One difference is that the House bill requires the FTC to develop a “short form” privacy notice, which could create a safe harbor for businesses, a welcomed addition.
As the EU’s General Data Protection Regulation and the California Consumer Privacy Act have made clear, businesses take different approaches regarding compliance with notice requirements. A template would benefit businesses and consumers.
Data Security Practices
All three proposals require businesses to establish, implement, and maintain reasonable data security practices. However, the data security provisions of the bills differ.
All require disposal of data after it is no longer needed, the identification and assessment of foreseeable risks and vulnerabilities, and the taking of corrective and preventative actions.
However, among the differences:
- the House bill and COPRA require data security employee training;
- COPRA and CDPA require the FTC to work with the National Institute of Standards and Technology to provide data security guidance;
- CDPA would have the FTC—consulting with NIST—publish guidance on data security and privacy training; and
- the House bill would require notification to the FTC of data breaches and submission of security policies.
While there are many similarities, some of the thorniest issues remain unresolved in the proposed bills.
The CDPA provides for enforcement by the FTC and state attorneys general. The House bill includes enforcement by those same parties, but also has a placeholder for a potential private right of action provision. COPRA, meanwhile, provides for dual enforcement, by the FTC and states, as well as through private actions.
This is one of the hardest-fought battlegrounds. Permitting both the FTC and states attorneys general to enforce any new federal law provides a robust enforcement mechanism. Yet, consumer advocates will likely push for a private right of enforcement in any federal bill. If a federal bill were to include a private right of action, it would be critical to include damages caps or other guardrails to ensure that individual suits are not abused to the detriment of businesses and consumers alike.
Duty of Loyalty
COPRA includes a provision labeled “duty of loyalty” prohibiting covered entities from “deceptive data practice or a harmful data practice.” It is unclear exactly what this provision adds from a substantive perspective.
For example, COPRA already includes a provision that a violation of its terms of a deceptive trade practice is punishable under the FTC Act. While the CDPA has a “Consumer Loyalty” provision, that provision is primarily aimed at ensuring consumers are not discriminated against for exercising their new privacy rights.
The biggest question regarding a federal privacy bill is what its relationships to state law will be. It is critical that any federal bill that is enacted have at least some level of state preemption. Otherwise, the bill would only add to the existing cacophony of privacy laws.
Despite the importance of this issue, each federal proposal adopts a different approach. The House bill is silent on the issue, leaving a placeholder. CDPA would preempt any state law related to data privacy or security, with the exception of state data breach laws. COPRA would supersede any state law that is in direct conflict, but would allow any law that afforded a greater level of protection. COPRA therefore would not limit the problem of conflicting state-level privacy regimes.
Despite their differences, the three proposed federal bills have important similarities, which alone is reason to believe that a federal privacy law may be closer than anticipated. There is likely a long road of negotiation ahead before we have a new law. However, the issues left to debate are narrowing, and that is a positive sign for businesses and consumers.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
David Saunders (CIPP/US) is a partner and member of Jenner & Block’s Data Privacy and Cybersecurity practice and its Complex Commercial Litigation practice. Clients turn to Saunders for his experience as an adviser, privacy professional, and litigator.
Allison Glover is department counsel and a member of Jenner & Block’s Data Privacy and Cybersecurity practice and Litigation Department. She has experience working through data incident response and counsels clients on HIPAA, CCPA, and state law privacy obligations.