California’s Consumer Privacy Act (CCPA) has made states truly consider how they expect businesses to handle individuals’ personal information. While the CCPA only protects the rights of California residents, it has inspired many other states to consider passing similar legislation.
With different legislation applying to individual states, businesses that operate across several states will likely have a difficult time complying with each law. As a result, the need for a U.S. federal privacy law is becoming quite attractive to ensure regulatory certainty.
Update: Proposed U.S. Federal Privacy Laws
Comprehensive privacy legislation may have taken a back seat to COVID-19 issues. However, several pieces of privacy legislation have attempted to tackle specific privacy issues related to the pandemic, such as contact tracing. While pandemic-related items have taken priority, we should expect comprehensive privacy bills to return shortly.
To keep you informed, here’s the latest update about potential federal privacy laws that might take precedent in the United States in the near future.
COPRA & CDPA
In November 2019, federal legislators proposed a variety of data protection laws. But none made any traction. These proposed laws included the Consumer Online Privacy Rights Act (COPRA) and the United States Consumer Data Privacy Act of 2019 (CDPA).
Both COPRA and CDPA would require entities that process personal data to:
- Obtain consent from consumers prior to processing their sensitive data
- Create transparent privacy policies
- Maintain reasonable data security practices
- Conduct privacy/risk assessments
- Provide consumers right to access, correct, and delete personal data
And while very similar, COPRA and CDPA have a few differences as well, including:
- COBRA and CDPA both give enforcement power to the Federal Trade Commission (FTC) and State Attorney Generals, but only COBRA allows individuals to institute private right of actions
- CDPA preempts state data privacy and security laws
- COPRA leaves state laws in place to the extent they afford greater protection
Bureau of Privacy
In December of 2019, the House of Energy & Commerce Committee issued a bipartisan discussion draft on federal privacy regulation. If passed, the law would establish a new administration called the Bureau of Privacy within the FTC to enforce the bill. The discussion draft would enforce:
- Privacy programs with privacy protection officers
- Consumer right to access, delete, and correct their information
- Principles of retention limitation
- Implementation of reasonable security measures
Online Privacy Act
Proposed to Congress in 2019, the Online Privacy Act focuses on setting out strict requirements for how companies can collect, use, and transfer individuals’ data. Provisions include:
- Requires organizations to spell out in plain language why they’re collecting consumer information
- Prohibits companies from selling or disclosing personal information without consent
- Requires companies to have easy-to-understand privacy policies
- Establishes a privacy authority-the Digital Privacy Agency (DPA)
The Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act would place a number of strict regulations on what it calls “data operators” or companies that have more than 100 million active monthly users. Inside the proposed bill you’ll find:
- Stricter regulations for companies such as retention limitations
- Rules for data operators to provide consumers an account of what their personal data is worth every 90 days
- Requirements for data operators to publish an annual report that lays out the aggregate economic value of all the data they’ve collected
The American Data Dissemination Act (ADD Act) seeks to provide a nationwide consumer data privacy law that protects both consumers and internet economics, . Requirements under the law would include:
- FTC to submit detailed recommendations for privacy requirements that Congress can impose on covered providers within 180 days of ADD being enforced.
- FTC to publish and submit to Congress proposed regulations to impose privacy requirements on covered providers.
- If Congress fails to enact a law based on the FTC recommendations within 2 years, FTC would make a final ruling.
Social Media Privacy Protection and Consumer Rights Act of 2019
As suggested in the name, this proposed law would protect the privacy of users of social media and other online platforms. But it didn’t make it very far. After being introduced in April of 2018, it died once introduced to Congress in January 2019.
Conclusion: A Federal Privacy Law is Inevitable
Federal privacy law isn’t a matter of if, it’s a matter of when. Both Democrats and Republicans in Congress agree it needs to happen. Will it happen in 2020? It’s unlikely. But it will happen. And your business should be prepared to comply.
To prepare for the inevitable, it’s important your business is set up for success. A few ways to prepare include:
- Appoint an accountable company staff member to handle data privacy matters
- Implement third-party auditing
- Train your staff on data protection
- Vet vendors and partners thoroughly to ensure they’re as compliant as you