Thursday, May 13, 2021

Privacy Roundup: Federal Data Privacy Legislation Proposed in 2021

In "Inconsistent State Data Privacy Laws Increase Confusion and Costs," a March 2021 Perspectives from FSF Scholars, I explained why a single, nationwide privacy regime – in particular, one that preempts state law and embraces exclusive enforcement by the FTC rather than a private right of action – is far preferable to a collection of inconsistent, state-specific approaches. Already we have seen such laws pass in California (the in-effect CCPA and, more recently, the CPRA) and Virginia.

As such, congressional activity on the privacy front is a topic upon which the Free State Foundation regularly provides updates. This specific discussion focuses on several federal data privacy bills that have been introduced – in many cases, reintroduced – so far this year.

The first such bill, the Information Transparency and Personal Data Control Act, was reintroduced on March 10 by Representative Suzan DelBene (D WA). As I noted in "Congresswoman DelBene Reintroduces Federal Data Privacy Bill," an April 2 blog post, that act, among other things, would preempt state law and would not allow individual consumers to pursue a private right of action.

*    *    *

Less than two weeks later, on March 23, a group of 17 Democrats in the Senate reintroduced the Data Care Act (DCA).

Rather uniquely, the DCA would not create specific consumer rights (for example, the right to know, access, delete, or correct collected personal information).

Instead, it would require online service providers that collect "individual identifying data" to abide by duties of care, loyalty, and confidentiality.

Pursuant to the duty of care, online service providers would have to "reasonably secure individual identifying data from unauthorized access" and promptly notify end users in the event of a breach involving "sensitive data," which the DCA defines to include social security, driver's license, and financial account numbers; fingerprints and other unique biometric data; and "information sufficient to access an account of an individual."

The duty of loyalty would bar the use of individual identifying data "in a way that will benefit the online service provider to the detriment of an end user" and either (a) "will result in reasonably foreseeable and material physical or financial harm" or (b) "would be unexpected and highly offensive to a reasonable end user."

The duty of confidentiality would limit the disclosure or sale of individual identifying data to those uses that are consistent with online service providers' duties of care and loyalty; require the inclusion of contractual provisions that impose the duties of care, loyalty, and confidentiality on third-party recipients of individual identifying data; and require audits and other reasonable steps to ensure that third parties in fact do comply with those obligations.

The FTC would be authorized to enforce a violation of the DCA as "an unfair or deceptive act or practice" pursuant to Section 18(a)(1)(B) of the Federal Trade Commission Act. State attorneys general and consumer protection officers also could bring civil enforcement actions.

The DCA would apply to nonprofit organizations and common carriers.

It explicitly would not "modify, limit, or supersede the operation of any privacy or security provision in any other Federal or State statute or regulation."

*    *    *

On April 29, Senator Jerry Moran (R KS) reintroduced the Consumer Data Privacy and Security Act (CDPSA).

First and foremost, the CDPSA would preempt state laws in order to establish a federal consumer data privacy protection standard. According to the press release, a recent survey revealed that "an overwhelming majority of Americans believe a national standard for privacy is needed."

In addition, the CDPSA would bestow upon consumers the rights of knowledge, access, portability, correction, and deletion. Small businesses – defined as those that have fewer than 500 employees, generate less than $50 million in annual gross receipts, and collect personal data from no more than a million individuals – would not be required to provide access, or make corrections, to collected data.

With some limited exceptions, covered businesses would have to obtain consent before collecting and processing personal data. The type of consent required would depend on the sensitivity of the data collected and whether it will be transferred to a third party.

Specifically, with respect to non-sensitive information, "an individual shall be deemed to have consented … if the individual fails to decline the request after being provided with [notice] and a reasonable amount of time to respond to the request."

For sensitive information or data that will be transferred to a third party, however, the CDPSA would require "express affirmative consent."

Covered businesses also would be required, among other things, to implement a comprehensive data security program that "contains reasonable administrative, technical, and physical safeguards designed to protect personal data from unauthorized access and related harmful disclosures."

The FTC and state attorneys general would handle enforcement responsibilities. The former would be provided with limited rulemaking responsibilities, the power to impose civil penalties for first-time offenses, authority over nonprofits and common carriers, and the resources necessary to hire 440 new employees.

The CDPSA makes plain that it would not create a private right of action: "There shall be no private right of action under this Act and nothing in this Act may be construed to provide a basis for a private right of action."

*    *    *

Finally, Senator Rick Scott (R FL) announced on May 4 the introduction of the Data and Algorithm Transparency Agreement (DATA) Act. Although the text of the bill is not yet available, the press release indicates the DATA Act would require that any large Internet platform "that uses algorithms to increase or decrease the availability of content on its platform" obtain express (opt-in) consent before collecting, selling, sharing, or conveying user data.

Users also would have the right at any time to withdraw their consent and/or request that their personal data be deleted.

And they would be empowered by the DATA Act to pursue a private right of action. In addition to actual damages and attorney's fees, aggrieved users would be entitled to minimum monetary damages in the amount of $5,000 per violation.

The DATA Act, which would apply to those Internet platforms with 30 million or more active monthly users in the United States, would mandate that a plain-language explanation of these rights appear each time that a user logs in. However, users could waive this requirement.