Hearings on two federal privacy law bills from opposite sides of the aisle were held late last week before the U.S. Senate Committee on Commerce, Science, and Transportation. The bills stand as indications of differences in between Democrat and Republican views on a comprehensive privacy law. The first – Consumer Online Privacy Rights Act (COPRA) – was proposed by Democratic Senator Maria Cantwell, D. Wash, and has the backing of several other Democrat Senators. The second – the United States Consumer Data Privacy Act (CDPA) – was proposed by Republican Senator Roger Wicker, R-Miss., is likely to have other Republican support.
There are substantial similarities between the bills, which indicates that there is bipartisan support for a general privacy framework that includes:
· A set of individual rights (to access, delete, rectify, export, opt-out data);
· Certain limitations on how businesses can collect and share information (i.e., by first obtaining affirmative express consent);
· No discrimination or denial or goods/services to individuals who exercise privacy right;
· The requirement that businesses maintain “reasonable data security practices”;
· The appointment of Privacy/Data Security Officers;
· Annual privacy risk assessments;
· Transparent privacy policies; and
· Certain exceptions for already regulated industries (health care, financial), and a “small business exemption.”
Role of the FTC
Both bills expand Federal Trade Commission (FTC) enforcement authority, though the exact scope of expansion differ. Further, COPRA would provide the FTC with certain financial resources to implement the Acts, and direct the FTC to create a new bureau related to consumer protection and competition.
The CDPA further grants the FTC rule-making authority to establish verification-request procedures to assist businesses in responding to data subject requests (DSR).
Interestingly, both bills require the FTC to conduct “Algorithmic Decision-Making” Study to examine “the use of algorithms,” to process data in ways that may violate anti-discrimination laws, and to develop guidance to assist businesses in avoiding discriminatory use of algorithms.
But the differences remain significant.
As expected, the critical differences between the bills center on issues of preemption of existing state laws, and the provision of a private right of action:
· CDPA provides for the preemption of stricter state laws, COPRA does not;
· Only COPRA provides a private right of action to consumers, and recognizes certain “harmful” data practices which may give rise to a presumption of injury under the Act;
· CDPA would leave enforcement of the Act strictly to the FTC and State Attorneys General.
Other differences, which may or may not be significant, include:
· Algorithmic Decision Making: In addition to directing the FTC to evaluate and report on algorithmic decision making discrimination (as required by both bills), COPRA would requires businesses to conduct algorithmic decision-making impact assessments to evaluate their use of AI technologies;
· Annual Certification: COPRA would require CEOs or highest-ranking officer, as well as a Privacy Officer, of company’s that are “large data holders” to annually certify to the FTC that the entity maintains adequate internal controls to comply with COPRA;
· Data Broker Registration: CDPA requires any business that acted as a data broker in the last year to annually certify with the FTC;
· Verification Requests: CDPA and COPRA differ in the burden of verification of a data subject request. COPRA shifts the burden of verification to the business, which must request additional information, possibly from state or federal governments, to verify identifies where the information provided by the consumer is insufficient; conversely CDPA allows a business that is unable to verify a request from a consumer to deny the request altogether.
We continue to monitor these federal privacy bills as they advance out of committee.
*Attorney Advertising, Prior Results Do Not Guarantee A Similar Outcome