On March 12, 2020, U.S. Sen. Jerry Moran, R-Kan., introduced the Consumer Data Privacy and Security Act, signaling that despite the political impasse on previous bills and focus on current pressing national health matters, privacy remains top of mind for the nation’s lawmakers.

Moran is a member of the Senate Committee on Commerce, Science, and Transportation, from which several recent and similar bills have sprung, and chairs the Subcommittee on Consumer Protection. In his statement announcing the proposal, he pointed to his participation in many committee hearings and work with colleagues on both sides of the aisle to advance efforts to develop a federal proposal. But, reporting suggests bipartisan talks broke down, leading Moran to put forward his own bill.

So, what does this latest U.S. Senate privacy proposal provide, and how does it align or differ from those that came before it? Are we inching toward bipartisan compromise, in areas other than preemption and a private right of action? Might we have the outline of what could finally become a federal privacy law in the United States?

What does CDPSA cover?

CDPSA has broader applicability than both of the similar Senate proposals that preceded it — Sen. Maria Cantwell’s, D-Wash., Consumer Online Privacy Rights Act and Sen. Roger Wicker’s, R-Miss., Consumer Data Privacy Act.

CDPSA applies to all entities subject to the jurisdiction of the Federal Trade Commission, as well as common carriers and nonprofit organizations, both of which are otherwise carved out of FTC jurisdiction. In this respect, CDPSA aligns with CDPA but is broader than COPRA, which does not cover nonprofits or common carriers.

Small businesses are subject to CDPSA, though they are excluded from access, accuracy and correction requirements and granted special consideration in areas governing erasure, transfers to service providers, and penalties for noncompliance. This structure is closer to CDPA, though CDPA also excludes small businesses from deletion requirements. COPRA, by contrast, excludes small businesses from all the act’s requirements. The bills’ definition of small businesses also differ.

Finally, all three bills exclude entities subject to and complying with specific sectoral privacy laws, including the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, Fair Credit Reporting Act, Family Educational Rights and Privacy Act, and others.

What privacy rights does CDPSA provide?

CDPSA provides commonly recognized privacy rights, aligned with those outlined in COPRA and CDPA. To help stakeholders compare the approaches, we have charted which provisions are included in each bill and where within the bill they can be found.

Key principles include:

• Consent: CDPSA requires an individual’s consent for data processing for specific purposes. Explicit consent is required for processing sensitive data and transfers of personal data to third parties, other than in specific instances. These include when the transfer is to provide a service, perform a contract, conduct a transaction or act on a request initiated by the individual, to prevent immediate danger to any individual, to prevent fraud, to conduct specified research, for operational purposes or as provided by the FTC in subsequent rulemaking. This approach generally aligns with CDPA. COPRA follows a similar pattern with implicit consent required for most personal data processing and explicit consent required for processing sensitive data, though the definitions of sensitive data differ. COPRA differs with regard to transfers, granting individuals the right to opt out of the transfer of their covered data for “valuable consideration” and would grant the FTC rulemaking in that area.
• Access: CDPSA requires covered entities to provide individuals with their own covered data upon request, in a portable format, as well as the categories of third party to which the personal data has been transferred. CDPA and COPRA include similar requirements but go one step further requiring covered entities to provide the names of third parties to which personal information has been transferred in certain circumstances.
• Correction and deletion: Under all three bills, individuals are granted rights related to correction and deletion of their own covered data with some differences in framing. Under CDPSA, covered entities must have reasonable procedures to ensure data accuracy and provide individuals the ability to dispute that accuracy and request correction. With regard to deletion, CDPSA requires covered entities to delete or deidentify data upon verified request, with certain exceptions. CDPA grants individuals the right to request correction without a clear indication of how the covered entity must respond. COPRA goes further, requiring covered entities to correct inaccuracies and delete upon a verified request. All three bills require covered entities to share correction and deletion requests with service providers and third parties, but CDPSA requires covered entities to “direct” service providers to delete the data and places the onus on service providers to correct and delete.
• Transparency: Covered entities, under all three proposals, are required to provide notice of the types of data processed, the purposes for which data is processed, the categories of data shared with third parties and the types of third parties with which it is shared, relevant data retention periods, a description of individuals privacy rights, and a point of contact within the organization. COPRA also requires covered entities to disclose the identity of each third party to which covered data is transferred. COPRA and CDPA state that the privacy policy must be available in all languages in which the covered entity does business, whereas CDPSA does not.
• Data minimization: CDPSA creates few data minimization obligations for covered entities, only limiting retention of sensitive data in an identifiable form to a time period necessary to accomplish the intended purposes. CDPA and COPRA, by contrast, provide that covered entities may only process covered data for specific purposes, subject to necessity and proportionality standards.
• Data security: Under all three proposals, covered entities must provide reasonable security, assess vulnerabilities and implement corrective action when risks are identified. CDPSA goes further, requiring covered entities to implement a comprehensive data security program, including designation of a responsible employee, employee training (also included in COPRA), and due diligence with regard to the security practices of service providers to which data is transferred.

How does CDPSA support privacy in practice?

All three proposals mandate the appointment of privacy officers and some form of privacy impact assessment, and both CDPSA and COPRA require comprehensive privacy programs. CDPA does not require a comprehensive program but does state that covered entities must “maintain internal controls and reporting structures to ensure that appropriate senior management officials of the covered entity are involved in assessing risks and making decisions that implicate compliance.”

With regard to CDPSA specifically, entities must designate a privacy officer to oversee the policies and practices relating to the collection and processing of personal data. This officer will be charged with informing and advising the entity of its responsibilities under the act, monitoring compliance, overseeing PIAs and comprehensive privacy programs, where required, and acting as a contact point for enforcement authorities.

CDPSA’s comprehensive privacy program requires applicable entities to implement appropriate technical or operational safeguards and other privacy-enhancing technologies. The program must include processes to verify the entity’s compliance with its privacy policies and relevant representations to consumers and clients. It must also ensure that privacy controls are adequately accessible and effective at safeguarding the expressed preferences of the individual or client.

What are the most significant points of contention?

A federal privacy law (and numerous other state laws) might already exist were it not for partisan disagreements over two critical elements: a private right of action and preemption. Sen. Moran’s proposal toes the party line on those two issues. It includes broad preemption of state privacy laws and excludes a private right of action.

Under CDPSA, enforcement would be carried out by a significantly bolstered FTC, as well as state attorneys general. The act provides that the FTC chair must appoint no fewer than 440 additional staff to enforce the requirements and other laws related to privacy and data security. It also provides the FTC direct fining authority with penalties per violation of up to $42,530 multiplied by the number of individuals affected. 

What’s next?

What comes next is entirely unclear. With all attention currently focused on COVID-19 response and the 2020 elections, the next steps are vague at best. The fact that Moran tabled his bill this month despite so many competing priorities suggests that lawmakers have not forgotten about the importance of privacy or how close they have come to forging bipartisan consensus.

We will keep a close eye on their efforts.

Photo by Bernd Klutsch on Unsplash