The last bill we examined on privacy and data security was Representatives Anna Eshoo (D-CA) and Zoe Lofgren’s (D-CA) the “Online Privacy Act of 2019” (H.R. 4978), a long, comprehensive bill that has little chance of being enacted as it is. Another such bill has been introduced by Senate Democratic stakeholders that takes a comprehensive approach by marrying privacy and data security requirements. Senate Commerce Committee Ranking Member Maria Cantwell (D-WA) and three other Democrats on the committee, Brian Schatz (D-HI), Ed Markey (D-MA) and Amy Klobuchar (D-MN), have released the “Consumer Online Privacy Rights Act” (COPRA). This bill would empower the Federal Trade Commission (FTC) to police privacy and data security violations through augmented authority, not preempt state laws to the extent they provide greater protection, largely leave in place existing federal privacy statutes such as the “Financial Services Modernization Act of 1999” (aka Gramm-Leach-Bliley) and “Health Insurance Portability and Availability Act of 1996” (HIPAA), and allow individuals to sue. Of course, many of these approaches are contrary to the publicly espoused positions of numerous Republican and industry stakeholders. The sponsors released a one-page summary and a short report titled “The State of Online Privacy and Data Security.”
COPRA was released ahead of the Senate Commerce, Science, and Transportation Committee’s December 4 hearing “Examining Legislative Proposals to Protect Consumer Data Privacy,” suggesting that Democrats wanted to define their positions on privacy and data security issues while also highlighting that the majority party in the Senate has failed to release a bill. It is unclear, however, if this bill signals that Cantwell’s ongoing talks with Chair Roger Wicker (R-MS) have stalled. Cantwell and Wicker have been in discussions since the summer on a privacy bill after it appear the efforts undertaken by an ad hoc committee working group had not produced fruit. Nonetheless, Wicker stated that “[t]he legislation released today reflects where the Democrats want to go..[b]ut any privacy bill will need bipartisan support to become law.” He added that “I am committed to continuing to work with the ranking member and my colleagues on both sides of the aisle to get a bill that can get across the finish line…[and] I expect that we will have a bill to discuss at next week’s hearing.”
It merits mention that Senator Richard Blumenthal (D-CT), the ranking member of the Manufacturing, Trade, and Consumer Protection Subcommittee, is not a cosponsor. Blumenthal has long called for both privacy and data security legislation and has often pressed federal agencies to better protect consumers. He has been working with the chair of the subcommittee, Senator Jerry Moran (R-KS), on a privacy bill, and yet despite having worked for over a year on a bill, no text has been released.
It also bears mention that the sponsorship of COPRA suggests that Senate Democrats are coalescing around a single position whereas its Members have taken a number of different approaches. The bill came shortly after Cantwell, and the top Democrats on three other committees released their principles for privacy legislation (See here for more analysis), signaling agreement on the broad outlines of such legislation. The other three ranking members were Patty Murray (D-WA) (Senate HELP), Dianne Feinstein (D-CA) (Senate Judiciary), and Sherrod Brown (D-OH) (Senate Banking). This agreement on principles brokered by Senate Minority Leader Chuck Schumer (D-NY) may smooth some of the jurisdictional battles that have traditionally dogged attempts to address data security or cybersecurity.
Schatz, the ranking member on the Communications, Technology, Innovation and the Internet Subcommittee, led the drafting and introduction of the “Data Care Act,” (S. 3744) in the last Congress. This bill which would extend the concept of fiduciary responsibility currently binding on health care professionals and attorneys with respect to the patients and clients’ information to “online service providers” such as Facebook, Google, Apple, etc. (See here for more extensive analysis.) Likewise, Senator Ed Markey (D-MA) introduced the “Privacy Bill of Rights Act” (S. 1214), which was the only bill to get an A in the first draft of the Electronic Privacy Information Center’s report on privacy bills. (See here for more analysis.) Finally, Klobuchar had cosponsored the “Data Care Act” and had also released a narrower bill with a Republican cosponsor, the “Social Media Privacy Protection and Consumer Rights Act of 2019” (S. 189), that would require major tech companies to give consumers an opportunity to opt in or opt out of the company’s data usage practices after offering enhanced notice of the practices for which the personal data may used. (See here for more analysis.)