Competing National Privacy Bills Introduced
On November 26, 2019, U.S. Senator Maria Cantwell (D-WA), along with other Democratic senators across four key Senate committees, introduced the Consumer Online Privacy Right Act (“COPRA”), which would expand the rights of people when it comes to how personal data is collected, shared and used. The move comes after a series of efforts to enact national privacy legislation have failed to gain traction. In November, two Democratic members of the U.S. House of Representatives proposed a national privacy law that calls for the formation of a new federal agency to enforce the privacy rights of individuals. In October, Senator Ron Wyden (D-OR) introduced the “Mind Your Own Business Act” that proposed to expand the Federal Trade Commission’s (“FTC”) authority to regulate data collection.
COPRA proposes the following rights and obligations:
- Grants consumers the right to ask what data is collected about them, who that information is shared with, and the reason for sharing it;
- Grants consumers the right to control the movement of their data, including the ability to delete or correct it;
- Grants consumers “the right to be free from deceptive and harmful data practices”;
- Requires companies to get consent before collecting users’ sensitive information, including biometric and location data;
- Creates a new bureau within the Federal Trade Commission to handle digital privacy enforcement, requiring that the bureau would be fully staffed and operational within two years of its enactment;
- Gives individuals the right to sue companies if their privacy is violated;
- Establishes a data security fund to be run by the Treasury Department;
- Allows state attorneys general to bring privacy lawsuits under federal law; and
- Requires companies to audit their algorithms for bias — especially with regard to financial discrimination and housing.
The bill also places greater responsibility on company executives to ensure their adherence to digital privacy protections. Beginning one year after the law’s enactment, CEOs of companies that hold large amounts of data would have to certify to the FTC on a yearly basis that they have “adequate internal controls” and reporting structures to comply with the law. Finally, COPRA would not completely preempt state laws that afford individuals a greater level of protection than provided under COPRA.
On the Republican side, Senator Roger Wicker (R-MS) has circulated his own “discussion draft” of a consumer privacy bill, currently known as the “United States Consumer Data Privacy Act of 2019.” While Senator Wicker’s draft bill aligns in large part with COPRA, it would preempt all state laws related to data privacy and security and would not provide for a private right of action. However, Senator Wicker said he would consider including a private right of action if it was sufficiently narrow.
Senators Cantwell and Wicker are aiming to resolve differences on their respective bills before the California Consumer Privacy Act (“CCPA”) goes into effect on January 1, 2020. The CCPA includes a narrowly focused private right of action for data breach violations, allowing consumers to seek statutory or actual damages, injunctive relief, or declaratory relief.
Grayson J. Derrick
Chair, Technology and Intellectual Property Section