Moran Releases Long Awaited Privacy Bill Without Blumenthal

Senator Jerry Moran (R-KS) has released his long-awaited privacy and data security bill, the “Consumer Data Privacy and Security Act of 2020” (S.3456) that is not cosponsored by Senator Richard Blumenthal (D-CT) even though the two Senators have been in talks since late 2018 along with other Senators to draft a bipartisan bill. Of course, Moran chairs the Senate Commerce, Science, and Transportation Committee’s Manufacturing, Trade, and Consumer Protection Subcommittee and so is a key stakeholder with input on any privacy and data security legislation coming from that committee. However, Moran’s bill is likely a nonstarter with Senate and House Democrats because it does not provide people with a private right of action and it would preempt state laws like the “California Consumer Privacy Act” (CCPA) (AB 375). Moreover, the Federal Trade Commission’s (FTC) ability to obtain civil fines would be limited only to situations where the entity in question had actual knowledge of the violations as opposed to the standard many agencies use to enforce: constructive knowledge (i.e. knew or should have known.) This, too, is contrary to not only the Democratic privacy bills but also some of the Republican bills, which would allow the FTC to levy fines on the basis of constructive knowledge.

However, like almost all the other bills, the “Consumer Data Privacy and Security Act of 2020” would require covered entities to obtain express affirmative consent to collect from and process the personal data of people after providing extensive disclosure and notice about who and with whom their personal information would be shared. Likewise, this bill would give people certain rights, such as a right to access, correct, delete, and port their personal data. People would also be granted the right of erasure under which a covered entity must delete or de-identify the personal data of any person who submits a verified request. However, small businesses would be exempted from from granting requests to access and the right to correct. There are, again like many other privacy bills, circumstances under which a covered entity may decline to grant a request to exercise these rights. For example, if doing so would violate a law or legal process, then the covered entity could say no to a person. Likewise, if a person’s life is in imminent danger, then a request could also be denied. There are other such circumstances, some of which privacy and civil liberties advocates will assert will turn out to be such wide loopholes that the rights will cease to be meaningful as they have with some of the other bills.

In terms of who would be subject to the Act, entities covered by the bill would be those currently subject to FTC jurisdiction and non-profits and common carriers. Moreover, the bill has fairly expansive definitions of “personal data” and “sensitive personal data,” like many of the other bills.

Like some of the privacy bills, large covered entities would have additional privacy obligations and responsibilities. For those entities that collect and process the personal data of 20 million or more people per year or the sensitive personal data of 1 million or more a year, then these entities must have a privacy officer to advise the entity on compliance and monitoring. Also, these large entities must also take extra steps for making material changes to their privacy policies, including privacy impact assessments and the development and implementation of a comprehensive privacy policy.

The Consumer Data Privacy and Security Act of 2020 tracks with other privacy bills in requiring that covered entities must also implement data security safeguards to protect the integrity, confidentiality, and security of personal data. There would be a sliding scale of sorts with less sensitive data requiring less rigorous protection and conversely the more sensitive the data, the more stringent the safeguards that must be used. Covered entities must also conduct periodic, regular risk assessments and then remediate any turned up risks. Covered entities must also ensure their service providers and any third parties with whom they are sharing personal data are instituting data security standards but at a lower defined standard than the covered entity itself. For example, the latter entities must only protect the security and confidentiality of the information they hold, collect, or process for a covered entity and are not responsibility for the integrity of the information.

When a covered entity uses a service provider to collect or process personal data, it must use a binding contract and perform due diligence to ensure the service provider has the appropriate procedures and controls to ensure the privacy and security of personal data. The covered entity also has the responsibility to investigate the service provider’s compliance with the act if a reasonable person would determine there is a high probability of future non-compliance.

As noted, the FTC would be the federal enforcer of the Act under the rubric of its current Section 5 powers to seek a range of injunctive and equitable remedies to punish unfair and deceptive practices. The FTC would also be able to seek civil fines of up to $43,530 per violation but only for knowing violations, and there is no language for adjusting the per violation fine amount for inflation, a power the FTC otherwise has. State attorneys general could enforce the Act just as the FTC could.

The bill expressly preempts state laws on privacy and data security and makes clear that state laws may not interfere with HIPAA, Gramm-Leach-Bliley, FERPA, and others. Moreover, the “Consumer Data Privacy and Security Act of 2020” would not affect federal privacy laws like Gramm-Leach-Bliley, COPPA, FCRA, and others, and if entities currently subject to those federal laws are in compliance with the privacy and data security requirements, then they will be deemed in compliance with the Act.