Share this article on:
Senator Roger Wicker (R-Miss), Chair of the Commerce Committee, has released a draft copy of the United States Consumer Data Privacy Act of 2019 (CDAP), a federal data privacy bill that is intended to replace the patchwork of state privacy laws in the United States. CDAP will ensure that all U.S. citizens receive the same rights and privacy protections regardless of where they live. If the bill becomes law it will override state privacy laws, including the California Consumer Privacy Act (CCPA) that is due to take effect on January 1, 2020.
CCPA gives California residents new privacy rights and has been likened to the General Data Protection Regulation in the EU, albeit with fewer security requirements for companies. Similar to GDPR, CCPA allows consumers to see what data is held on them by a company and find out with whom their data has been shared. It also includes a private cause of action, so consumers are permitted to sue companies that are in breach of the CCPA. CCPA will, however, only apply to certain companies – Those with revenues in excess of $25 million as well as any company, any company that holds the data of 50,000 or more individuals, and companies that collect more than half of their revenues from the sale of personal data.
Sen. Wicker’s CDAP goes further than CCPA as it will apply to a much broader range of companies. It also goes into greater detail on the protections that must be in place to protect consumers. Under CDAP, companies would be required to publish clear privacy policies covering the collection, use, and sharing of personal data, including details of the purpose for which data is being collected, the data retention period, and they would also need to include a description of the company’s security practices.
CDAP allows consumers to see what data is held on them by a company and find out with whom their data has been shared. Companies would be required to provide access to the data free of charge up to two times a year and honor requests within 45 days.
Consent to collect personal data would also need to be obtained from consumers by an affirmative action before data could be used for any other purpose than those detailed in a company’s privacy practices, and also before any personal data could be sold on. Sen. Wicker’s CDAP does not include a private cause of action, so consumers would not be permitted to take legal action for violations of COPR.
Similar to HIPAA, CDAP also includes a ‘minimum necessary’ provision, which requires companies to restrict the collection of data to the minimum necessary amount to achieve the purpose for which information is being collected. CDAP would also require companies to implement security measures to protect personal data, adopt security best practices, and practice data minimization. Similar to GDPR, companies would be required to designate privacy and security officers to coordinate compliance and develop and implement privacy policies and practices. Sen. Wicker says CDPA is “better, stronger, and clearer” than CCPA.
Sen. Wicker’s CDAP is one of two national privacy laws that have been introduced recently. The other bill – the Consumer Online Privacy Rights Act (COPRA) – was introduced by Sen. Maria Cantwell (D-Wash). COPRA also gives consumers rights over their personal data and introduces GDPR-style protections.
While Sen. Wicker’s bill aligns with Cantwell’s, COPRA does not pre-empt state laws. The Republican camp is keen to introduce new legislation to replace the current patchwork of state privacy laws, but the Democrats don’t want to replace state laws, which may provide greater protections for consumers.
Sen. Wicker’s CDAP and Sen. Cantwell’s COPRA were discussed during a Senate Commerce Committee hearing on Wednesday, December 4, 2019. While both Sens. agreed that a bipartisan privacy bill is required and that it should be enforced by the FTC, agreement has not been reached on the content of the bill, including whether there should be a private cause of action and if the federal privacy law should supersede state privacy laws such as CCPA and the New York Privacy Act.