On November 29, 2019, Senator Roger Wicker (MS), Chairman of the Senate Commerce Committee, circulated a draft of a comprehensive federal privacy bill entitled the United States Consumer Data Privacy Act of 2019 (“the Bill”).
The Bill would place enforcement authority in the hands of both the Federal Trade Commission and state attorneys general. Unlike COPRA, which was released by the Democrats a few days prior, it would preempt all state laws related to data privacy and security and would not provide for a private right of action. However, Senator Wicker noted recently that while the Bill does not contain a private right of action, he would consider including one in legislation if it was sufficiently narrow.
The Bill would prohibit deceptive and harmful data practices, and provide individuals with new privacy rights, such as the rights to access, delete or de-identify, and correct their data as well as a right to data portability. Organizations would be prohibited from denying goods or services to an individual because the individual exercised any of the rights afforded by the Bill. The Bill would also create new transparency requirements for organizations to publish privacy policies about the types of data they process and transfer.
The Bill would provide additional protections for sensitive data by requiring organizations to obtain express affirmative consent for the processing and transfer of sensitive data. For non-sensitive data, the Bill would provide an individual with the right to object to the processing and transfer of any covered data, subject to several exceptions. It would also treat biometric information differently by prohibiting processing and transfer of such biometric information except for several narrow situations.
The Bill would require organizations to implement several internal practices to protect their data, including data security policies and practices and data minimization. It would promote corporate accountability by requiring companies to designate privacy officers and data security officers to coordinate policies and practices on processing data and facilitate compliance with the Bill. The Bill would also require whistleblower protections to ensure that organizations do not punish employees who come forward about possible violations of the law. The Bill would also place limits on the use of data transferred to third parties and service providers and ensure that privacy protections travel with the data. “Large data holders” would have to conduct privacy impact assessments every two years.
The Bill contains several other noteworthy elements, including its definition of “covered data” that would exclude aggregated data, de-identified data, employee data and publicly available information. The Bill would exclude small businesses from the individual control and data minimization requirements, as long as they meet one of several criteria. It would require data brokers to register with the FTC. It would also allow the FTC to approve certification programs developed by organizations to create standards or codes of conduct regarding compliance with one or more provisions of the Bill.
The Senate Commerce Committee will hold a hearing on Wednesday, December 4, 2019, entitled Examining Legislative Proposals to Protect Consumer Data Privacy, where they will discuss this bill as well as other legislative proposals.