CRS asks, who is ‘watching the watchers’ in analysis of proposed privacy protection bills
In recent months, members of Congress have introduced four consumer privacy bills and circulated discussion drafts of two additional proposals, any of which could have major implications for the biometrics industry. Although each the proposals “are similar in many respects, they differ in key ways, including whether the new federal laws would preempt state law and whether individuals would have a private right of action to enforce the law,” according a recent Congressional Research Service (CRS) report, Watching the Watchers: A Comparison of Privacy Bills in the 116th Congress.
As several news media have pointed out, the report noted that these “key sticking point[s]” make it “unclear if there is any path forward for privacy legislation.”
The CRS report’s authors stated that “a dispute over whether to include a private right of action has prevented the passage of Washington State’s privacy bill, and disagreement on this point could lead to a similar result in Congress. The preemption issue relates to a more time-sensitive concern: whether Congress seeks to guide the national debate on privacy laws, rather than respond to it. California is working to implement the CCPA, and more than a dozen states continue to develop their own privacy legislation.”
But “until Congress provides direction through a federal bill—whether or not it preempts state law—it seems likely that states will develop a patchwork of laws that may be inconsistent and difficult for businesses to navigate,” the CRS report concluded, adding, “Some [legislators] have indicated that there is room for continued negotiation, though others seem less hopeful. Ultimately, unless Congress comes to an agreement on these two core issues, it may be unlikely that any of these proposals will gain traction.”
The bills discussed by the CRS review are:
– R. 4978, the Online Privacy Act of 2019, introduced by Representatives Anna Eshoo and Zoe Lofgren on November 5, 2019;
– The United States Consumer Data Privacy Act of 2019 (USCDPA Draft), a discussion draft circulated by Sen. Roger Wicker on November 27, 2019;
– 2968, the Consumer Online Privacy Rights Act, introduced by Senators Maria Cantwell, Brian Schatz, Amy Klobuchar, and Ed Markey on December 3, 2019;
– An untitled December 18, 2019, discussion draft (“E&C Draft”) from the House Energy and Commerce Committee, spearheaded by Representatives Cathy McMorris-Rodgers and Jan Schakowsky;
– 3300, the Data Protection Act of 2020, introduced by Sen. Kirsten Gillibrand on February 13, 2020; and
– 3456, the Consumer Data Privacy and Security Act of 2020, introduced by Sen. Jerry Moran on March 12, 2020.
“Five of the six proposals—H.R. 4978, S. 2968, S. 3456, and the two discussion drafts—take similar approaches … although details vary somewhat from bill to bill,” CRS said.
Each bill “regulates the use of personal information” by recognizing individuals’ rights to control their personal information, requiring a defined class of entities to take steps to respect those rights and creating procedures to enforce those requirements.
“The five proposals differ, however, in three key respects,” CRS pointed out. Those differences include which federal agency would have enforcement power; whether to preempt state privacy laws; and whether to provide a private right of action.
The sixth bill, S. 3300, takes a different approach: it would “create a new agency vested with the power to enforce existing federal privacy laws and authorize that agency to issue broadly applicable privacy regulations.”
CRS stated that “the six proposals share a number of components. Each bill defines the type of information it would protect (covered or personal information or data) in similar terms, with most including information that is linked or reasonably linkable to an individual,” and that “many of the proposals (the USCDPA Draft, S. 2968, the E&C Draft, and S. 3456) would provide additional protections for sensitive information, including government-issued identification numbers, financial account numbers, health records, biometric data, and geolocation data.”
Similarly, each of the proposals “specifies the type of entities it would cover, though the breadth of this coverage varies.” For example, while S. 2986 “would cover only entities or persons subject to the Federal Trade Commission Act, excluding small businesses … S. 3300 would apply to any ‘person’ (which, under existing law, would include corporations and other businesses) ‘that collects, processes, or otherwise obtains personal data with the exception of an individual processing personal data in the course of personal or household activity.’”
Some of the bills (H.R. 4978, S. 2968, S. 3456) would further “exempt certain types of entities, in whole or in part, such as small businesses and entities engaged in journalism,” the CRS analysis said. “In addition, some bills (the USCDPA Draft, S. 2968, S. 3300) would impose additional restrictions on large data holders that exceed certain revenue thresholds or process the covered information of a specified number of individuals. “
Overall, the six proposals specify which agency would be responsible for enforcing the proposed new laws, “offering two main approaches. Most bills would either vest the Federal Trade Commission with enforcement authority (the USCDPA Draft, S. 3456), or create a new bureau within that agency (S. 2968, E&C Draft).”
Two other bills, though—H.R. 4978 and S. 3300—would establish entirely new federal agencies to oversee privacy requirements.
With regard to individual rights and covered entities’ duties, five of the proposed bills—H.R. 4978, S. 2968, S. 3456, and the two discussion drafts—“take a similar substantive approach, creating protections for covered information that are enumerated as individual rights and covered entity duties,” CRS explained, noting that, “although each bill uses different terminology—certain protections appear as rights in some bills and duties in others—and would recognize a slightly different set of rights and duties, some protections are common to all five proposals.”
Each of these five proposed pieces of legislation (all but S. 330) would acknowledge a basic set of “individual rights with respect to covered information held by covered entities.” These would include “the right of access [that] would give individuals the right to view their covered data held by covered entities, a list of third parties to which that data had been transferred, and the purposes of any such transfers.”
The right of deletion would permit a person to request that covered entities expunge (or, under some bills, de-identify) any of that person’s “covered information, with some exceptions,” CRS determined.
“The right of correction would give individuals the ability to correct—or require a covered entity to correct—inaccurate information,” CRS said, adding that the “the right of portability would require covered entities to provide individuals, on request, with copies of their data free from any restrictions on use.”
Each bill would also create notice and consent requirements for how covered entities would use covered information. CRS reported that, “Under these requirements, a covered entity would have to notify an individual when it intends to collect or transfer information,” and that “the entity would then have to ask the individual for affirmative consent (opt in) or give the individual a chance to opt out of the collection or transfer.”
“Finally,” CRS stated, “each of these five proposals would require covered entities to limit how they collect and use covered information and to take certain steps to safeguard that information. The duty of minimization would limit a covered entity’s collection, processing, and transfer of covered information to no more than it reasonably needs to provide the product or service that an individual requested.”
And, “complementing that duty,” CRS also noted, “covered entities would be required to safeguard covered information in their possession by implementing physical security and cybersecurity policies.”
An alternative approach is S. 3300, CRS said, explaining that, “Compared to the other five proposals, S. 3300 would take a markedly different approach [in that it] would not impose any new privacy obligations on covered entities.” In its place, “the bill would centralize all privacy oversight and enforcement responsibilities for existing, sector-specific laws—such as Title V of the Gramm-Leach Bliley Act (Pub. L. No. 106-102), and the Children’s Online Privacy Protection Act of 1998 (Pub. L. No. 105-277)—in a new Data Protection Agency. “S. 3300 would also authorize the agency to issue regulations to prevent “unfair or deceptive act[s] or practice[s] . . . in connection with the collection, disclosure, processing, and misuse of personal data.”