Dec 192019

Examining Legislative Proposals to Protect Consumer Data Privacy

Colleen Theresa Brown and Michele L. Aronson
, , , ,

On December 4, 2019, the Senate Commerce Committee addressed data privacy in a hearing titled, “Examining Legislative Proposals to Protect Consumer Data Privacy.”  The hearing focused on the two leading privacy proposals that were put forward in the week leading up to the hearing, the Consumer Online Privacy Rights Act (COPRA), introduced by Sen. Maria Cantwell, D-Wash., ranking member on the Committee, and a Staff Discussion Draft of the United States Consumer Data Privacy Act of 2019 (CDPA), introduced by Sen. Roger Wicker, R-Miss., Chairman of the Committee.  The competing proposals share many similarities, including their scope of covered data and entities, as well as their approaches to consumer transparency and access.  However, as witness testimony during the hearing revealed, the proposals diverge on a few critical issues.

The Committee heard testimony from an all-star panel with experience across the public and private sectors.  They testified to the importance of enacting federal legislation to protect consumer data privacy rights and expressed their general support for key provisions of the two leading proposals.  The panel consisted of Julie Brill, former FTC Commissioner and current Corporate VP and Deputy GC at Microsoft; Maureen Ohlhausen, former FTC Acting-Chair and Commission, and current Co-Chair of the 21st Century Privacy Coalition; Laura Moy, Executive Director of the Georgetown Law Center on Privacy & Technology; Nuala O’Connor, Senior VP and Chief Counsel of Digital Citizenship at Walmart; and Michelle Richardson, Directory of Privacy and Data at the Center for Democracy and Technology.  Although the witnesses prioritized different principles, they all emphasized the urgent need for a bold, comprehensive privacy law at the federal level that is coupled with strong enforcement mechanisms.

The questions during the hearing highlighted the main differences between the two leading proposals: preemption and a private right of action.  Regarding preemption, COPRA would preempt only state laws that expressly conflict with it, whereas CDPA would preempt all state laws regarding data privacy, including the California Consumer Protection Act which goes into effect on January 1, 2020.  The panelists representing industry discussed the challenges of complying with a patchwork of state privacy laws, as well as the speed and efficiency that a uniform national framework could provide.  The other main issue receiving significant attention at the hearing was whether a federal privacy law should include a private right of action for consumers.  COPRA gives consumers a private right of action, whereas CDPA would rely on the FTC and state attorneys general to enforce the law.  The discussion of a private right of action also led into a broader discussion about enforcement.  Some panelists voiced support for increasing staffing and other resources at the FTC, as well as strengthening the FTC’s authority for rulemaking and imposing first-time civil penalties.

In addition to discussing the issues of preemption and a private right of action, many lawmakers expressed concern about the potential negative impact of a federal privacy law on innovation, particularly for small businesses.  The witnesses proposed a variety of ways to mitigate that impact, primarily by providing clarity through legislation that is readable on its face and by exempting small businesses from certain requirements.  Additionally, multiple lawmakers and witnesses underscored the importance of including civil rights protections that would prohibit discriminatory uses of data.

The hearing demonstrated that, although both sides of the aisle agree on the need for a comprehensive federal data privacy law, passing a bipartisan bill will require bridging divides between the two latest leading proposals on a handful of key persistent issues.  Two weeks later, on December 18, a bipartisan draft bill was issued from the House Energy & Commerce Committee. While important momentum seems to be gaining, a federal law is not likely imminent, and will certainly not come about prior to the CCPA’s effective date.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Michele L. Aronson

Washington, D.C.

maronson@sidley.com

You might also like
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill

On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.

Biden Administration Announces National Cybersecurity Strategy

On March 1, 2023, the Biden administration announced its long-awaited National Cybersecurity Strategy. The strategy is part of the administration’s efforts to bolster and modernize public and private responses to cybersecurity threats.

UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.