Senator Moran Adds a New Proposal to the Federal Privacy Debate
Earlier this month, Senator Moran (R-Kansas) introduced a new privacy bill—the Consumer Data Privacy and Security Act. As the Chairman of the Senate Commerce Committee’s Subcommittee on Manufacturing, Trade, and Consumer Protection, Senator Moran has been a key player in Senate efforts to craft a comprehensive, federal privacy law. This new legislation follows December’s uptick in congressional privacy activity, which saw separate proposals from the Chairman and Ranking Member of the Senate Commerce Committee—Senator Wicker (R-Mississippi) and Senator Cantwell (D-Washington), respectively—as well as a bipartisan draft bill from House Energy & Commerce Committee staff. While Senator Moran’s new bill adds further momentum to the privacy debate, it is unclear whether Congress will have the time and focus required to move the ball forward in 2020, as the COVID-19 Pandemic keeps lawmakers away from Washington and demands the attention of legislators and the Administration.
The December proposals revealed both key areas of consensus and critical fault lines in the privacy debate. As we detailed in a December post, the proposals from Senators Wicker and Cantwell have notable overlap. For example, both bills would create new federal consumer rights to transparency, access, deletion, correction, and portability. And both bills would impose other obligations on covered entities, including data security and privacy impact assessment requirements. To be sure, the devil is in the details, and there is not perfect agreement even on these points of overlap; however, the fact that the general structure and approach of these bills from different sides of the aisle are so similar is a major advancement in the path towards consensus.
But the December proposals also confirmed critical fault lines, with the two biggest predictably being around preemption and private rights of action. As we described in our December post:
Preemption: The Wicker bill broadly preempts all state laws “related to the data privacy or security and associated activities” of businesses covered by the law, with a notable exception for breach notification laws. On the other hand, the Cantwell bill explicitly says that “[n]othing in this Act shall be construed to preempt, displace or supplant” state laws regarding consumer protection, privacy rights of employees and students, and “[l]aws specifying remedies or a cause of action to individuals.”
Private Rights of Action: The Wicker bill is silent on private enforcement, vesting enforcement with only the FTC and state attorneys general. By contrast, the Cantwell bill creates an incredibly broad private right of action.
The bipartisan draft bill circulated by House staff reiterated the depth of the divide between Republicans and Democrats on these two issues, leaving bracketed placeholders for these issues rather than proposing provisions that both parties could agree on.
Senator Moran’s new proposal follows a similar pattern. Senator Moran’s proposal is rights-based, like the two key Senate proposals that came before it. In general, it would establish the following new federal consumer rights, each of which is further detailed in the bill:
Right to Access: “A covered entity shall, in response to a verified request from an individual—(A) confirm whether or not the covered entity has collected or processed the personal data of the individual; and (B) if the covered entity has collected or processed the personal data of the individual, provide , within a reasonable time after receiving the request, the individual with—(i) a copy, or an accurate representation, of the personal data pertaining to the individual collected and processed by the covered entity; and (ii) a list of the categories of third parties to which the covered entity has disclosed the personal data of the individual, if applicable.” § 5(b)(1).
Rights to Accuracy and Correction: “A covered entity shall establish reasonable procedures designed to—(A) ensure that the personal data that the covered entity collects and processes with respect to an individual is accurate and up-to-date; and (B) provide individuals with the ability to submit a verified request to the covered entity to—(i) dispute the accuracy and completeness of such personal data; and (ii) request the appropriate correction of such personal data.” § 5(c)(1).
Right to Erasure: “[With exceptions], upon a verified request from an individual, a covered entity shall, without undue delay, delete or de-identify the personal data of the individual, and shall direct any service providers of the covered entity to delete or de-identify such data.” § 5(d)(1).
The bill would also impose similar types of obligations on covered entities, including:
Data Security: “Each covered entity and service provider shall develop, document, implement, and maintain a comprehensive data security program that contains reasonable administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of personal data from unauthorized access, use, destruction, acquisition, modification, or disclosure.” § 6(a).
Privacy Impact Assessments: “If an applicable entity that is a covered entity intends to begin a new collection or processing activity or to make a material change in its processing of sensitive personal data, the applicable entity shall, before beginning the new processing activity or making the material change, consider the privacy implications, if any of the change.” § 7(c)(1).
And, like the other Republican proposal at the center of this debate, the Moran bill would broadly preempt state laws and would not allow for private enforcement. Specifically:
Preemption: On this issue, the bill explains that “[i]t is the express intention of Congress to promote consistency in consumer expectations, competitive parity, and innovation through the establishment of a uniform Federal privacy framework that preempts, and occupies the field with respect to, the authority of any State or political subdivision of a State over the conduct or activities of covered entities covered by this Act . . . relating to the privacy or security of personal data, including consumer controls relating to personal data such as rights to access, correction, and deletion.” § 10(a). Accordingly, the bill would preempt state and local laws related to privacy or security of personal data, except for certain categories of state laws to the extent they are not inconsistent with the bill, including state breach notification laws, among others.
Enforcement: The bill establishes enforcement by the Federal Trade Commission and state attorneys general, but not enforcement through private rights of action. See § 9.
Whether or not Congress will be able to move forward with comprehensive, federal privacy legislation this year is unclear. But what is clear is that federal action on this issue is needed and is much overdue. This new proposal will be an important part of the debate moving forward.