The Genesis of Three Competing Federal Bills
In 2018, there were numerous congressional and industry proposals aimed at addressing privacy on the federal level. Although none ever crystalized as federal law, the sheer number of lawmakers introducing proposals and getting involved in the debate made clear that privacy would be a focus in 2019. As 2019 began, there was hope that the various state privacy statutes being enacted and debated were putting even more pressure on the federal government to enact bipartisan federal privacy legislation. The California Consumer Privacy Act’s (CCPA) January 1, 2020 go-live date also seemed to be increasing pressure on Congress to act. Nowhere was the combination of hope and pressure more pronounced than in the Senate Committee on Commerce, Science, and Transportation. Throughout 2019, bipartisan discussions on federal privacy legislation seemed to be progressing. Those talks ultimately broke down towards the end of 2019 and resulted in three separate, rival legislative proposals: COPRA, CDPA, and CDPSA.
Consumer Online Privacy Rights Act
The Consumer Online Privacy Act (COPRA) is the Democratic proposal that originates from the Republican/Democrat split in the Commerce Committee in late 2019. This bill was introduced by Ranking Member Maria Cantwell (D-Washington) and co-sponsored by fellow Democratic Senators Brian Schatz (D-Hawaii), Amy Klobuchar (D-Minnesota), and Ed Markey (D-Massachusetts) in November 2019.
Consumer Data Privacy Act
The Consumer Data Privacy Act (CDPA) is the Republican rival to COPRA that resulted from the partisan split in the Commerce Committee in late 2019. This draft legislation emerged from the office of Chairman of the Senate Commerce Committee, Senator Roger Wicker (R-Mississippi) and is circulating as a working draft.
Consumer Data Privacy and Security Act
One of the most recent legislative proposals attempting to fill the Federal privacy legislation void is the Consumer Data Privacy and Security Act (CDPSA), which Senator Jerry Moran (R-Kansas), Chairman of the Commerce Subcommittee on Consumer Protection, introduced in March 2020. This bill came after talks between Senators Moran and Blumenthal (D-Connecticut) on a potential bipartisan bill broke down. The discussions between the two senators were a last ditch attempt to revive the broader bipartisan discussions from the Commerce Committee that broke down late last year, resulting in COPRA and CDPA.
CDPSA and CDPA both seek to govern any entity subject to FTC authority plus (i) common carriers (as defined by the Communications Act of 1934) and (ii) nonprofit organizations. COPRA’s scope is slightly less broad and only applies to any entity the FTC has authority over, not common carriers and nonprofits.
All three proposals attempt to alleviate the compliance costs to small businesses, though they approach this goal in different ways. COPRA achieves this goal via a blanket small business exemption to the proposal’s requirements. In contrast, CDPSA and CDPA exclude small businesses from specific requirements, although the specific exemptions differ between the two proposals. All three proposals define small business in slightly different ways.
Categorization of Data
CDPSA and CDPA generally approach the categorization of data by defining two categories of data that fall under its provisions. The first category of data is “personal data” and includes any data that “is linked or reasonably linkable to a specific individual.” The second category of data is “sensitive data” and includes things such as geo-location data, data related to sexual orientation, and financial data.
COPRA’s version of “personal data” is “covered data” and is defined as any data that “identifies, or is linked or reasonably linkable to an individual or a consumer device, including derived data.” COPRA, like CDPSA and CDPA, has a second category of data that is referred to as “sensitive covered data.” However, COPRA’s defines sensitive data more broadly than the CDPSA and CDPA version and includes data such as metadata from the data subject’s communications, email addresses, account credentials, and “information revealing online activities over time and across third-party website or online services.”
All three proposals specifically exclude employee data and public records from either type of covered data. The three proposals also empower the FTC to promulgate rules that include other types of data in the two categories of data.
Consent to Data Usage and Transfers
CDPSA, CDPA, and COPRA approach consumer consent for data usage by requiring consent to the collection or processing of personal data for a specific purpose. CDPSA also requires a heightened “affirmative express” consent for (1) the processing of sensitive data and (2) the transfer of sensitive data to a 3rd party. COPRA also includes a right to opt-out of data transfers to a third party.
CDPSA’s notice requires the covered entity detail the categories of data collected, the purpose of collection for each category, whether sensitive data is processed/provided to a third party, and whether any data is provided to a third party.
Rights of Access, Correction, and Deletion
CDPSA approaches the issue of Right of Access by requiring a covered entity to confirm whether it collected or processed a person’s data, provide a copy of that data, and list the categories of third parties to which the data has been disclosed. CDPA and COPRA take generally the same approach, except that both require the covered entity to divulge the actual names of third parties to which the data has been disclosed. All three require that the covered entity, if requested, provide the data in a portable format.
With respect to the Right to Deletion, CDPSA allows for a subject to request deletion and dictates that a covered entity can respond by deleting or de-identifying that subject’s personal data, unless the personal data was collected for a permissible purpose defined in the statute. CDPSA also requires the covered entity to direct any service provider to delete or de-identify the data of that subject as well. CDPA does not offer a Right to Deletion. COPRA requires the covered entity to delete the subject’s data upon request and to relay that request to a Service Provider.
As to the Right of Correction, CDPSA requires a covered entity to provide a mechanism for a subject to correct his or her data in a way that “is appropriate and reasonable based on the benefits and risks of harm to the individual.” CDPA and COPRA also provide for a Right of Correction, but they do not detail on how a covered entity should do so.
All three proposals address the concept of data minimization. CDPSA requires covered entities will and will direct their third-party service providers to delete or de-identify sensitive data after it is no longer reasonably needed to accomplish the purpose for which it was collected. CDPA provides that a covered entity will not collect, process, or transfer data beyond what is “reasonably necessary, proportionate, and limited” to achieve the purpose. Likewise, COPRA states that a covered entity will not “process or transfer covered data beyond what is reasonably necessary, proportionate, and limited” to achieve a purpose.
Preemption of State Privacy Statutes
CDPSA expressly preempts state privacy laws, except in the area of breach notification. CDPA preempts “any law, regulation, rule, requirement, or standard related to the data privacy or security” at the state level. COPRA preempts state law to the extent that the state law imposes a lower level of protection.
Private Right of Action
Only COPRA allows for a private right of action. The private right of action allows for “an amount not less than $100 and not greater than $1,000 per violation per day or actual damages, whichever is greater.” COPRA also allows for punitive damages and attorney’s fees.
Where Are We Going?
While reading this article, you may have been struck by the similarities between the rival proposals. This suggests the beginning of an agreement on what a federal privacy law should look like. However, this glimmer of bipartisan agreement on some of the issues should not lead anyone to predict the passage of federal privacy legislation anytime soon. The two most politically charged issues — pre-emption of state law and a private right of action — are the most entrenched positions on both sides of the political spectrum in the privacy space, and neither side seems likely to budge on either issue. Combined with the current pandemic and an upcoming presidential election, this stalemate renders the likelihood of broad broad federal privacy legislation this year unlikely. However, comprehensive federal privacy legislation will probably emerge in 2021. This year’s elections will likely determine whether the legislation more closely tracks with the Republican or Democratic proposals.
For more information regarding this article, please contact Richard Halm.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.