The implementation of GDPR was the catalyst for a number of states to introduce their own data privacy laws, the best-known being CCPA. With CCPA effective Jan. 1, 2020, the legislation has nudged lawmakers in Washington into action. Several data privacy bills have been introduced in the Senate since late 2018. They include Consumer Online Privacy Rights Act (COPRA), Privacy Bill of Rights Act, and the Consumer Data Protection Act. Another bill was introduced in the House, the Online Privacy Act, that includes the creation of a Digital Privacy Agency.
Obviously, not all of these bills are going to be passed. Most will never make it out of committee. However, it is important for both consumers and businesses that a federal data privacy law prevails. CCPA is a step in the right direction, but uniformity is necessary for companies that do business in multiple states. The question before us is which bill is the best option for a federal privacy law?
The Consumer Data Protection Act was brought before the Senate by Sen. Ron Wyden, D-Ore., in November 2018, and this is the legislation proposal that most closely mirrors GDPR. It would target larger companies ($50 million or more in revenues and more than 1 million consumer records stored) and a fine of 4 percent of annual revenues. If enacted, the Act would give the Federal Trade Commission (FTC) expanded authority on current oversight of data privacy concerns. This bill isn’t business friendly (the steep fines) or consumer friendly (FTC would be responsible for developing the regulations, which could end up making it difficult for consumers to request adequate protections of the personal information).
In April, Sen. Ed Markey, D-Mass., introduced the Privacy Bill of Rights Act, which at that time was the most comprehensive privacy bill brought before the Senate. Its strength is its definition of personal information: “The term ‘personal information’ means information that directly or indirectly identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, a particular individual.” This legislation, too, will have oversight from the FTC, but in this case, the rules must focus on protecting “the individual and collective privacy rights” spelled out in the bill. Organizations, especially the large tech companies, would have to rethink the way conduct business with their customers as the data privacy protections favor consumers. It is this bill that has the most similarities to CCPA’s consumer protections.
COPRA is the bill that, as of this writing, may have the best chance of becoming law in the coming year. Introduced in November by Sen. Maria Cantwell, D-Wash., Ranking Member of the Senate Commerce Committee, COPRA would be a consumer-friendly privacy act, allowing consumers to have more control over their personal data. Consumers would be able to see what data hold, correct or delete it, and prevent it from being sold to third parties. Companies, on the other hand, would face hefty fines for data breaches and misusing data and would be required to obtain special permission to collect biometric data. This bill includes provisions for the creation of a Bureau for Privacy within the FTC, a data security fund housed in the Treasury Department, and allow state attorneys general to file suits under the federal law.
The Chairman of the Commerce Committee, Roger Wicker, R-Miss., in turn, introduced a counter proposal to Cantwell’s bill. Overall, the two bills share similar goals by setting clear boundaries for both individual rights and how businesses can collect, share, and use data, with consumer access to correct or delete personal information. The control over personal data given to consumers is similar to many of the provisions in CCPA. And, encouragingly, at first glance, the two drafts appear to show that consumer data privacy is a bi-partisan issue.
The conflicts, however, are where the partisanship shows and focus on two specific points: whether a federal law would override state laws, including CCPA, and the ability to sue companies that violate data privacy protections. Sen. Wicker’s proposed draft favors the tech industry’s side and the desire to eliminate frivolous lawsuits and possibly stifle innovation, for example, while Sen. Cantwell’s bill wants to allow consumers to hold the large tech companies responsible for misuse of a user’s personal information. More importantly, however, are the disagreements over state-enacted privacy legislation. COPRA is designed to allow stronger protections in a state law to override federal, while Wicker’s draft appears to be aimed at eliminating the patchwork of state regulations. This seems designed to neuter CCPA, which tech companies have opposed.
Finally, the Online Privacy Act introduced by two Democratic Congresswomen representing Silicon Valley, Anna Eshoo and Zoe Lofgren, would also require businesses to allow consumers access to their data and have it deleted, but it would also have stricter regulations around algorithm-based processes used to target specific customers. Even so, there are concerns this bill will limit rights for consumers and favor businesses.
Although the Privacy Bill of Rights Acts has the strongest defenses for consumer privacy rights, it is a bi-partisan version of COPRA that is most likely to become law – or at least make its way for debate in the House – in the next year. And it may, in fact, be the only successful bipartisan legislative effort we see in 2020. COPRA is the strongest of the privacy bills moving through the legislative process, and I’m hopeful that Senators Cantwell and Wicker will prevail, collaborating on a bill that protects the public and passes muster in Congress and the White House.
Until there is one data privacy law, business will suffer. They already face the challenge of unconnected back-office enterprise systems that store enormous amounts of consumer and employee data. Many of these systems were built before data privacy and data security was an issue, so they are unequipped to handle today’s threats. Even more challenging, employees tasked with managing privacy at a business don’t know all the enterprise software solutions their company uses. Without knowing what systems are used at a business, nor which contain personal data, how could one access or delete personal data, a requirement made by the CCPA upon a consumer’s request? How will these systems be able to identify California residents from other customers in CCPA’s time frame? With one federal law, some of the burden will be lifted from business systems.
While I generally favor the states’ role in being the so-called laboratories of democracy, only a uniform federal piece of legislation will solve the problem and create order.
Daniel Barber is the CEO and Co-Founder at DataGrail, and can be reached via [email protected], LinkedIn, Twitter.
