Key Points

  • Sen. Maria Cantwell (D-WA) introduced the Consumer Online Privacy Rights Act in the Senate. If passed, it would grant consumers a number of rights, subject to enforcement from the Federal Trade Commission and state attorneys general. The bill also contains a controversial provision establishing a private right of action.
  • Sen. Roger Wicker (R-MS) unveiled a discussion draft of his long-anticipated privacy proposal, the United States Consumer Data Privacy Act of 2019. If passed, the bill would provide for several consumer rights, preempt state privacy laws and be enforced by the Federal Trade Commission. The bill also contains exemptions from the new consumer protections for aggregated data and internal research to improve or develop products, services or technology.

Consumer Online Privacy Rights Act

On Tuesday, November 26, Sen. Maria Cantwell (D-WA), Ranking Member of the Senate Commerce, Science, and Transportation Committee, introduced the Consumer Online Privacy Rights Act. The bill notably contains a private right of action, which has emerged as a controversial provision in privacy negotiations.

Senate Commerce, Science, and Transportation Committee Chairman Roger Wicker (R-MS) has been engaged in ongoing negotiations on bipartisan legislation with Ranking Member Cantwell over the past several months. Chairman Wicker also recently announced he will convene a Commerce Committee hearing on December 4 to consider pending privacy proposals. However, the introduction of the Consumer Online Privacy Rights Act may signal that some key Senate Democrats have chosen to pursue their own privacy effort, as Senate Republicans have expressed strong opposition to the bill's provision establishing a private right of action.

As the top Democrat on the Senate Commerce Committee, which has primary jurisdiction over privacy-related issues, Ranking Member Cantwell's proposal marks the first introduction of a comprehensive privacy proposal in the Senate, which has been the chamber leading the charge for comprehensive legislation.

The measure would not preempt state laws, falling in line with California Democrats in the House of Representatives who also remain opposed to preemption of the California Consumer Privacy Act (CCPA). Republicans in both chambers have instead called for a national standard to avoid a patchwork of state laws.

The bill broadly defines covered data to include "information that identifies, or is linked or reasonably linkable to an individual or a consumer device, including derived data." The language carves out de-identified data, employee data and public records.

The Cantwell bill would be enforceable by the Federal Trade Commission (FTC) and state attorneys general. The bill's enforcement provisions deviate from a recent proposal by House Democrats to create a new agency to enforce violations of the law (see prior alert here), instead providing the FTC with new authorities to fine companies for violations upon the first offense.

The measure establishes several user rights, including rights to access, deletion and correction, as well as the right to data security. The legislation requires covered entities to identify and address foreseeable vulnerabilities, take preventative and corrective action to mitigate any risks or vulnerabilities, dispose of covered data that is no longer necessary to retain, and train all employees on how to safeguard covered data. The bill further requires the FTC, in conjunction with the National Institute of Standards and Technology (NIST), to publish guidance for covered entities on how to provide effective data security and privacy training.

In order to address discrimination, the measure would require covered entities engaging in algorithmic decision-making for purposes of processing data related to housing, education, employment or credit opportunities to annually conduct an impact assessment.

The bill would also carve out small businesses that receive under $25 million in annual revenue—less than half of which may be derived from transferring individuals' covered data—and process the covered data of under 100,000 individuals, houses or devices.

Sens. Brian Schatz (D-HI), Amy Klobuchar (D-MN) and Ed Markey (D-MA) have joined Ranking Member Cantwell in co-sponsoring the legislation.

United States Consumer Data Privacy Act of 2019

On Thursday, November 28, the text of a discussion draft of Senate Commerce, Science, and Transportation Committee Chairman Roger Wicker (R-MS) was released to the public. The bill deviates from Ranking Member Cantwell's proposal by preempting state privacy laws, while also declining to provide for a private right of action, which Chairman Wicker has previously declared as a "nonstarter."

The measure would establish several consumer user rights, including rights to access, correction, deletion and portability of covered data. Like Ranking Member Cantwell's proposal, the bill would also require affirmative express consent of users in order to process sensitive covered data or transfer the data to a third party.

The bill would define covered data as "information that identifies or is linked or reasonably linkable to an individual or a device that is linked or reasonably linkable to an individual." Similar to Ranking Member Cantwell's bill, the measure would carve out de-identified data, employee data and public records from the new rights, but Chairman Wicker's proposal would go a step further to carve out aggregated data, which is defined as "information that relates to a group or category of individuals or devices that does not identify and is not linked or reasonably linkable to any individual."

The proposal would grant enforcement authority to the FTC, directing the Commission to use its existing authority to combat fraud and deception. However, the bill would not direct the Commission to establish a separate bureau dedicated to privacy and data security, as required in Ranking Member Cantwell's proposal.

Regarding discrimination, the legislation would require an annual report to be conducted by the FTC under Section 6(b) of the Federal Trade Commission Act to examine the use of algorithms to process covered data in a manner that may violate federal antidiscrimination laws.

Identical to Ranking Member Cantwell's proposal, the bill would exempt small businesses that receive under $25 million in annual revenue—less than half of which may be derived from transferring individuals' covered data—and process the covered data of under 100,000 individuals, houses or devices.

The measure provides for several additional exemptions, including allowing covered entities to collect covered data for the purposes of conducting internal research to improve or develop products, services or technology.

Chairman Wicker's proposal would also allow the FTC to approve certification programs developed by covered entities or trade associations representing covered entities to create compliance standards.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.