Federal Privacy Legislation in 2020? Democrats and Republicans Remain Conflicted
COPRA vs. US CPDA 19 Things are moving on Capitol Hill. Less than a week after a group of Senate Democrats led by Senator Maria Cantwell circulated the “Consumer Privacy Rights Act” (COPRA), the Republican side has followed suit with the “United States Consumer Data Privacy Act of 2019” (US CDPA 19). The US CDPA, authored by Senator Roger Wicker, stands out largely because of its provision stating that it supersedes state-wide privacy laws. With ad industry group Privacy for America releasing its Principles for Privacy Legislation on Tuesday, there is undoubtedly enough movement and enough ideas to tackle a federal privacy law in 2020.
The California Consumer Privacy Act (CCPA), which comes into effect on January 1st, 2020, has inspired the drafting of multiple other state laws; Maine LD-946 and Nevada SB-220 have both been signed (SB-220 is in effect), and several pieces of legislation are in different phases of the legislative process. Such a patchwork of differentiating privacy law is an unpleasant outlook for businesses with a US-wide customer-base, who need to be able to adapt to these differentiating standards. The legal and operational costs pile up as more and more state privacy laws become effective.
There is increasing communication from companies to lawmakers in Washington, as business leaders push for a federal law, most recently in an open letter to Congress in September 2019. One question seems to have brought things to a standstill: Should the federal law supersede state laws to give companies the clarity and relative ease of implementation they are yearning for, potentially a less strict policy overall; or should it merely set a baseline to ensure that all U.S. consumers have a minimum amount of protection?
Both the COPRA and US CDPA 19 used the CCPA and the EU’s GDPR as inspiration and gave us a lot to unpack. To help you evaluate for yourself, below, we’ve compared the most notable similarities and differences of the bills; additionally, we’ve provided a more in-depth comparison table at the end of the piece.
Both proposals grant individuals certain rights (right to access one’s data, notice requirements when data is collected, ability to request deletion of one’s data, correct data with businesses, data portability, and other controls).
Businesses must get express consent for the processing or transfer of sensitive data, which is defined quite similarly under both proposals (e.g., government-issued identifiers, biometrics, geolocation, contents of private communication(!), health data). Businesses must establish and maintain reasonable security measures and are forbidden to use deceptive data practices.
Both pay special attention to algorithm biases and the extra sensitive nature of biometric information.
The FTC’s authority (which is currently limited by both budget and enforcement capabilities) is expanded, and civil action suits can be brought by state attorneys and consumer protection officers. COPRA additionally includes a private right of action, as discussed under “Differences.”
The US CDPA 19 will preempt any state-wide privacy law. COPRA includes preemption of “directly conflicting state laws,” but the Act takes a step back if state laws are offering more protection.
The COPRA includes “information revealing online activities over time and across third-party websites or online services” in the term “sensitive information.” This means express consent would be required to process or transfer this information, which would have a massive impact on any business offering a personalized online experience to their customers (including the ad-tech sector).
The COPRA grants individuals a private right of action for all types of violations. The US CDPA 19 does not grant a private right of action.
The COPRA provides for fines of $100-$1000 per violation per day or actual damages (whichever is greater). The “per day” clause makes it clear that these fines can rack up very quickly. The US CDPA 19 leaves more room for interpretation and less clarity as to any expected punishment, as it only states that violations of the Act are seen as unfair or deceptive acts pursuant to the FTC Act, allowing the Court to grant the relief “necessary to redress injury”.
The US CDPA 19 goes into effect 2 years after the date of enactment, while the CORPA goes into effect after only 180 days, four times quicker.
“To preempt, or not to preempt” state laws, that is the fundamental question, difference, and point of conflict between the two sides. Beyond that, the US CDPA 19 resists a private right of action and specifying fine amounts. These are essential differences, gaps are wide, and the two proposals offer no sign of compromise.
However, the Democratic and Republican sides have found some important common ground in giving individuals extensive rights and robust controls. They both go beyond the CCPA by requiring an opt-in for the processing or transfer of sensitive covered information, which is a good thing for consumers. A lot remains to be decided for 2020 and personal data rights, but whichever way it shakes out, we’re happy to see and report that the average American will be getting more control over their data.