Skip to main content
Top Button
Are We Getting Closer to a Federal Consumer Data Privacy Law? Are We Getting Closer to a Federal Consumer Data Privacy Law?

Are We Getting Closer to a Federal Consumer Data Privacy Law?

Several members of Congress are attempting to establish a federal consumer data privacy law against the backdrop of public calls by data privacy professionals and tech executives from more than 51 tech companies—including Amazon, IBM, and Salesforce—urging Congress to pass a comprehensive consumer data privacy law. Prior efforts to establish new federal data privacy standards have been stymied over many issues, and these latest efforts face many of the same challenges, even as pressure for action continues to mount. Recognizing the significant potential impact to many of our clients, Ice Miller’s Data Security and Privacy team is monitoring these events closely, and Ice Miller’s Strategies team in Washington, D.C. is actively involved in these discussions as they are being considered on the Hill.

The Consumer Online Privacy Rights Act of 2019

On November 26, 2019, U.S. Senator Maria Cantwell (D-Wash.) introduced the Consumer Online Privacy Rights Act (“COPRA”). Under COPRA, consumers would be granted several specific data privacy rights that are comparable to those rights found in the GDPR and the CCPA:
 
  1. Duty of Loyalty  (covered entities cannot engage in deceptive or harmful data practices)
  2. Right of Access and Transparency (covered entities must provide covered data to individual upon receiving a verified request and must make publicly and persistently available a privacy policy)
  3. Right to Consent to Material Changes (covered entities must receive affirmative consent before making material changes to their privacy policies)
  4. Right to Delete (covered entities must delete or allow the consumer to delete any covered data processed by entity)
  5. Right to Correct Inaccuracies (covered entities must correct or allow the consumer to correct any inaccuracies in covered data processed)
  6. Right to Data Security (covered entities must establish, implement, and maintain reasonable security measures to protect the confidentiality, integrity, and accessibility of covered data)

The FTC and state attorneys general would be granted enforcement authority by COPRA. COPRA would also establish a new bureau within the FTC to handle COPRA violations and a new Data Privacy and Security Relief Fund funded by enforcement fines to compensate affected individuals and support privacy education initiatives. The real change in many ways would be through COPRA’s proposed private right of action, which would allow individuals to pursue action for COPRA violations with damages ranging from $100 to $1,000 per violation per day. The establishment of a private right of action is where Congressional democrats and republicans have had the most disagreement.

The United States Consumer Data Privacy Act of 2019

Introduced by Senator Roger Wicker (R-MS) on November 29, 2019, the United States Consumer Data Privacy Act (“CDPA”), like COPRA, would prohibit deceptive and harmful data practices and likewise would provide familiar privacy rights to access, transparency, and non-discrimination, among others. Also, enforcement would remain in the hands of the FTC and the state attorneys general. However, unlike COPRA, the CDPA would preempt state laws related to data privacy and would not provide a private right of action.

What would this mean for your business?

Both bills were key topics of discussion at the Senate Committee on Commerce, Science, and Transportation hearing on December 4, 2019, where Senators reviewed legislative proposals to protect consumer data privacy. A comprehensive, federal consumer data privacy law faces substantial partisan opposition, particularly with respect to state law preemption. At the same time, many high technology companies strongly support a single nationwide standard that would simplify compliance and provide consistent rules and guidance. State privacy laws, such as the CCPA and draft laws in other states as well as a GDPR-like law set to go into effect in California in 2020, are spurring Congressional action and may help drive a consensus at the federal level.

If you would like to receive further information regarding developments in privacy legislation, please contact Guillermo Christensen or Mason Clark. Guillermo Christensen, a partner in Ice Miller’s Washington, D.C. office, works in the Data Security and Privacy Practice Group and has extensive prior experience in the U.S. Government and internationally at the OECD in France. Mason Clark is an associate in Ice Miller’s Data Security and Privacy Practice Group. Clayton Heil and Graham Hill work on data privacy and cybersecurity matters for Ice Miller in Washington, D.C.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

 

View Full Site View Mobile Optimized