Despite some lawmakers’ hopes to deliver a federal data privacy law in 2019, the year ended in disappointment and frustration for privacy advocates and consumers alike.
With the ‘hoped-for’ bipartisan bill remaining elusive – and as more U.S. states carve out their own privacy laws – just how likely is it that the government will finally do something meaningful to protect the privacy of its citizens in 2020?
Last November, as the end of 2019 loomed, Senator Maria Cantwell (D-WA), released a Democratic data privacy bill. This was followed shortly after by a discussion draft outlining Republican priorities, released by committee Chairman Roger Wicker (R-MS).
A hearing was held allowing the full committee to discuss the proposals.
Senators Jerry Moran (R-KS) and Richard Blumenthal (D-CT) – both members of the Commerce Committee and part of the Senate working group – are still attempting to develop privacy legislation together.
As we entered a New Year, lawmakers, consumer groups and the tech industry were all saying 2020 could well be the year Congress actually makes a federal privacy bill a reality.
When (eventually) this happens, its sure to be welcomed as good news by the majority of Americans who said it is not possible to go through their daily lives without being tracked, according to a study by Pew Research.
Interestingly, during a privacy panel at the CES tech industry expo last month, Federal Trade Commissioner Rebecca Slaughter said:
Just the fact that almost every day when we read the newspaper [and] see different concerning stories about privacy and security breaches, it would be almost impossible to conclude that enough is being done,
(Ms Slaughter pointed out that the opinions were her own and not those of the FTC.)
Big Tech “Looking Out For Number One”?
Last year Facebook CEO Mark Zuckerberg declared his own vision for data privacy. As Facebook came under increasing scrutiny, Zuckerberg met privately with lawmakers and publicly urged them to put rules in place.
Around the same time, Apple CEO Tim Cook also wrote and submitted an op-ed expressing his opinion on the matter.
In addition to independent input from big tech corporations, the Internet Association, which represents the interests of tech companies including Facebook, Amazon and Google, released its principles for federal data privacy legislation and launched a campaign to put pressure on Congress to act.
Senator Mark Warner (D-VA), an outspoken critic of big tech, told Yahoo Finance in a statement that as other countries and states put privacy laws in place, he’s seen a shift in big tech’s attitude toward regulation. He said:
Big tech wants a single national standard. I get that. I think in a certain way that makes some sense, but then it’s got to be a standard that’s high enough and strong enough that there’ll be meaningful enforcement.
In an interview with Yahoo Finance at the time, the trade group’s Senior Vice President of Global Government Affairs, Michael Bloom, said; “We’ve been on the Hill day in and day out. The time is right for a very, very strong federal privacy protection for the consumers and users of our platforms and services. And that’s really what our focus has been, and I think there’s real appetite for that on the Hill,”
Here at The Data Privacy Group, we aim to help our readers keep up to date with the latest developments in global data privacy laws that could affect the way they do business.
One of our biggest challenges is obtaining a clear picture of upcoming privacy laws and the impact they will have on businesses that will be subject to those laws. And while we await the enactment of a comprehensive federal data privacy law, states across the U.S. continue to paddle their own canoes when it comes to laws governing online privacy.
The first to arrive in 2020 was the California Consumer Privacy Act (CCPA), which came into effect on January 1. Several other states have similar laws in various stages of completion.
Meanwhile, on Capitol Hill there are two sets of data privacy laws – one from each side of the house – fuelling the ongoing debate.
Senator Maria Cantwell (D-WA) and her Democratic colleagues have introduced the Consumer Online Privacy Rights Act (COPRA), while Republican Senator Roger Wicker (R-MA) has proposed the United States Consumer Data Privacy Act (CDPA). No surprise there are many similarities, but also some significant differences between them.
What is Covered by the Two Bills?
Both bills make a distinction between what is considered “covered data” and “sensitive covered data.” Similarly the two bills define covered data as information that “identifies or is linked or reasonably linkable to an individual or consumer device.”
However, the COPRA definition also includes “derived data,” which is defined as data that is “derived from other information sources about an individual, household, or device.”
De-identified data, employee data, and publicly available information are excluded from the definition of “covered data” in both bills. The CDPA also excludes aggregate data from its definition of covered data.
In brief, the main differences between the two bill are as follows:
- Both bills provide individuals with certain rights. These include:
- the right of access to their data;
- notice requirements when data is collected;
- the right to request the deletion of their data;
- the right to correct their data if it is wrong;
- The right to data portability.
- Businesses must obtain express consent for the lawful processing or transfer of sensitive data, which is defined similarly under both bills. For example, government-issued identifiers, biometrics, geolocation, contents of private communication, health data.
- Businesses are required to establish and maintain reasonable security measures for the protection of personal data and are forbidden to use deceptive data practices.
- Both pay special attention to algorithm biases and the extra sensitive nature of biometric information.
- The FTC’s authority (which is currently limited by both budget and enforcement capabilities) is expanded, and civil action suits can be brought by state attorneys and consumer protection officers.
- Both bills afford the above-mentioned individual rights only upon verifiable request from the individual. However, COPRA requires a covered organization to request additional information from the individual if it cannot reasonably verify the request from the information provided. COPRA also specifically requires covered organizations to “minimize the inconvenience to consumers relating to the verification or authentication of requests.”
- CDPA allows covered organizations not to comply with a request to exercise individual rights if it “cannot verify that the individual making the request is the individual to whom the covered data that is subject to the request relates.”
- The CDPA will pre-empt state-wide data privacy laws. The COPRA includes pre-emption of “directly conflicting state laws,” however, COPRA takes a back seat in cases where a state law provides more protection for the consumer.
- The COPRA includes “information revealing online activities over time and across third-party websites or online services” in its definition of “sensitive information.” This means express consent is required in order to process information, or transfer such information to a third party. This would have a significant impact on any covered business that offers a personalized online experience to its customers.
- The COPRA provides for fines of a minimum of $100 and a maximum of $1000 per violation per day, or actual damages, whichever is the greater. The “per day” clause makes it very clear that the fines can rack up very quickly. The CDPA is more open to interpretation and lacks clarity as to potential penalties. It simply states that violations of the bill are seen as unfair or deceptive acts pursuant to the FTC Act, allowing the Court to grant the relief “necessary to redress injury”.
- The COPRA provides individuals a private right of action for all types of violations. However, the CDPA does not grant a private right of action.
- The CDPA would come into effect two years following the date of enactment, while the CORPA would go into effect after just 180 days.
- COPRA provides individuals with a right to opt-out of data transfers. CDPA, on the other hand, provides individuals with a right to object to processing or transfer of their data, with certain exceptions.
When can we Expect a Federal Privacy Law?
One of the big problems lawmakers are trying to resolve centers on the small matter of pre-emption.
Some fervently believe that a federal privacy law should take precedence over state laws, while others argue Congress should not prevent individual states from enacting their own tougher standards.
As Senator Warner said recently… Settling that question could “break the logjam.”
If we can deal with this pre-emption issue, I think the other things may start to fall in place and we actually may end up with a larger piece of legislation rather than smaller,
So, to pre-empt, or not to pre-empt state laws appears to be the fundamental question representing the biggest conflict between the two sides of the house. And with other essential differences to also be resolved.
On a positive note however, there is at least some common ground between the two sides. They both want to see individuals given comprehensive consumer rights concerning privacy and data protection. Both bills appear to go further than California’s CCPA, by requiring an express opt-in for the collection, processing and transfer of sensitive covered information.
We conclude that until such time that arguments in Congress over private right of action and the pre-emption of state law are resolved, the two parties will struggle to achieve a compromise that will translate into the enactment of a federal privacy law.
Hopefully, lawmakers will not wait until they agree on every fine detail, before the average American finally gains greater control over their personal data.