The California Consumer Privacy Act (CCPA) has forced companies across the United States (and even globally) to seriously consider how they handle the personal information they collect from consumers. By its terms, however, the CCPA only protects the privacy interests of California residents; other “copy-cat” privacy laws proposed or enacted in other states similarly would only protect the rights of residents of each state. Given the burden on businesses imposed by the rapid proliferation of privacy and data protection laws, including data breach notification obligations, requirements for data transfer mechanisms imposed by international data protection laws (such as the EU General Data Protection Regulation (GDPR)), and the imposition of a variety of data subject rights, a comprehensive US federal privacy bill appears increasingly overdue.
In the past year, US legislators have proposed a wide variety of data privacy laws—none of which seems to have gained significant traction. In November 2019, two new proposals were released in the Senate: the Consumer Online Privacy Rights Act (COPRA), sponsored by Senate Democrats, and the United States Consumer Data Privacy Act of 2019 (CDPA), proposed by Senate Republicans. Both proposals require covered entities to:
While enforcement under both proposals is brought by the Federal Trade Commission (FTC), COPRA also allows for individual private right of action while the CDPA does not. Another key difference is that the CDPA preempts state data privacy and security laws (except data breach notification laws), whereas COPRA leaves state laws in place to the extent they afford greater protection.
In December 2019, the House Energy & Commerce Committee negotiated a bipartisan discussion draft on federal privacy regulation. The proposed law would establish a new administrative unit within the FTC called the Bureau of Privacy to administer and enforce the law. The discussion draft requires covered entities to:
The discussion draft also sets out registration requirements for “information brokers.” The discussion draft does not address federal preemption or private rights of action, possibly because Republicans and Democrats are divided on these issues.
Other notable federal data privacy law proposals include the following:
Many proposals focus on the principles of transparency, use limitation, data minimization and individual consumer rights, but tend to differ on enforcement mechanisms and preemption. 2019 was an active year for privacy legislation, especially on the state level. As privacy issues continue to be a hot topic among individual consumers and policymakers, all eyes will be watching to see whether the United States will finally pass a comprehensive federal privacy law in 2020.