On March 12, 2020, Senator Jerry Moran (KS) introduced a comprehensive federal privacy bill entitled the Consumer Data Privacy and Security Act of 2020 (the “Act”).
The Act would create a single preemptive federal standard for consumer data privacy and dedicate resources to help the Federal Trade Commission hire 440 new attorneys, technologists and support personnel to enforce it. It would provide enforcement authority to state attorneys general, and would provide the FTC with new rulemaking authority powers as well as the ability to levy fines for initial violations of the Act. It also notably does not contain a private right of action.
The Act would also:
- Apply to all businesses under the purview of the FTC as well as non-profits and common carriers.
- Prohibit the collection or processing of personal data unless an individual has explicitly or implicitly provided consent, or unless a covered entity collects or processes the personal data in accordance with a “permissible purpose” under the Act. “Implicit consent” would occur when an individual fails to decline a request to collect or process personal data after being provided with notice and a reasonable amount of time to respond to the request.
- Require express affirmative consent for the collection or processing of sensitive personal data, or for disclosure of personal data to a third party that is not consistent with a “permissible purpose.” Permissible purposes under the Act include, among other uses: provision of a service that an individual has requested; fraud prevention; research performed for the primary purpose of advancing a broadly recognized public interest; performing internal operations or analytics; and improving a product or service requested by the user.
- Provide individuals with the rights to know, access, accuracy/correction, erasure and data portability. Small businesses would be exempt from providing individuals with the right to access and the right to accuracy/correction.
- Require covered entities to develop a comprehensive data security program designed to protect the security, confidentiality and integrity of personal data from unauthorized access appropriate to the size, complexity and resources of the covered entity.
- Impose “Accountability” requirements on companies who process data of more than 20 million individuals annually, or who process the sensitive data of more than one million individuals annually, to: designate a Privacy Officer; conduct and document privacy impact assessments for all new collection or processing activities, or material changes to its processing of sensitive personal data; and adopt a comprehensive risk-based privacy program that considers the relevant risks to privacy and security of the data, the size and complexity of the company, and the sensitivity of the data being processed.
- Limit the retention of sensitive personal data.
- Ensure that covered entities take reasonable steps to ensure that service providers have established appropriate privacy and security procedures and controls.
- Exclude de-identified data, employee data, publicly available information and pseudonymized data from the definition of “personal data.”
- Exclude app usage and browser history from the definition of sensitive data.
- Direct the Secretary of Commerce to develop mechanisms to prevent disruptions of cross-border data transfers.