As many businesses occupy themselves with coming into compliance with the California Consumer Privacy Act (CCPA) before the law's effective date of January 1, 2020, Congress is renewing discussion of a possible comprehensive federal data privacy law. On December 4, 2019, the Senate Commerce, Science, and Transportation Committee held a hearing titled "Legislative Proposals to Protect Consumer Data Privacy." Committee members and witnesses focused on several issues:
- Developing a framework for consumers to exercise control over the data that companies collect by providing them with access, deletion and portability rights
- How enforcement authority under a national law should be allocated between the Federal Trade Commission (FTC), state attorneys general and a possible private right of action
- Whether the FTC's resources should be increased and it should be authorized to impose civil penalties for first-time violations under Section 5 of the FTC Act
- The extent to which a federal law should preempt state privacy laws such as the CCPA
The witnesses were:
- Julie Brill, former commissioner of the Federal Trade Commission, corporate vice president and deputy general counsel, Microsoft;
- Maureen Ohlhausen, former acting chair of the Federal Trade Commission, co-chair, 21st Century Privacy Coalition;
- Laura Moy, executive director and associate professor of law, Georgetown Law Center on Privacy & Technology;
- Nuala O'Connor, senior vice president and chief counsel, Digital Citizenship at Walmart; and
- Michelle Richardson, director of privacy and data, Center for Democracy and Technology.
The hearing was preceded by the release of competing bills by Senate Democrats and Republicans. On November 26, Ranking Member Maria Cantwell (D-WA) and three other Democratic senators proposed the Consumer Online Privacy Rights Act (COPRA), which followed the publication by Senate Democrats of a set of principles to help shape debate over federal data privacy law. A week before the hearing, on November 27, Senator Roger Wicker (R-MS), chairman of the committee, released a discussion draft of a Republican federal privacy bill.
Areas of agreement
Both senators' comments and questions at the hearing and the draft legislation show that Democrats and Republicans agree on a number of core issues. For one, both sides believe that consumers need more visibility into and control over how companies collect and handle their personal information and that businesses need to be held accountable for their data handling practices. Both sides also agree that the FTC needs to be involved in enforcing a federal privacy law and that the agency will need more resources and tougher enforcement mechanisms at its disposal in order to be an effective regulator in this space.
Areas of disagreement
Democrats and Republicans remain divided over several fundamental issues, particularly the extent to which a federal privacy law should preempt state laws and the extent to which a national privacy law should include a private right of action. On the preemption point, Republicans argue that a patchwork of legislation would be harmful to both businesses and consumers, while Democrats believe that states are innovating in this area in important ways and should not be prevented from continuing to do so. Regarding a private right of action, Democrats argue that it is necessary to ensure effective enforcement of any federal privacy law. Republicans, on the other hand, contend that a private right of action would not benefit consumers and instead would only enrich the plaintiffs' bar.
If the hearing is any indication, the two sides remain far from resolving their differences on these issues.
States will continue to take up privacy legislation
It remains unlikely that Congress will agree on a national data privacy law anytime soon, especially as we head into a presidential election year. That does not mean, however, that there will not be continued focus on this issue extending throughout 2020, with hearings and the introduction of new bills and proposals from industry—such as this one, by Privacy For America, which was released last week.
The more likely focus of new legislation that will pass in 2020 is at the state level. As we outlined earlier in the year, at least 10 states attempted to pass comprehensive data privacy laws in 2019. Many of those states—including Washington, Pennsylvania, Massachusetts and New York—are likely to try again in 2020. Some of these states' efforts may mirror the CCPA, but others may even go beyond the CCPA's protections. The most recent bill proposed in Massachusetts, for example, would create a private right of action for the entire bill, not just for violations related to data breaches, as the CCPA does. And even where states draw from the structure and language of the CCPA, they are likely to each do so with unique changes that make nationwide compliance a difficult proposition.
Don't forget about California
Businesses should not let Congress's renewed interest in a federal privacy law distract them from the fact that the CCPA goes into effect in less than a month. Beginning on January 1, 2020, companies that fall within the CCPA's definition of a "business" and collect personal information from California residents will be responsible for:
- Notifying consumers of their data collection practices at or before the time of collection
- Providing consumers with individual data privacy rights
- Updating their privacy policies
- Ensuring that their service providers qualify as such under the law through contract restrictions
As we have discussed earlier, the California attorney general has released proposed regulations for the CCPA, some of which add additional obligations for businesses (such as training and record-keeping requirements). The draft regulations must be finalized no later than July 1, 2020. Cal. Civ. Code § 1798.185(a). The attorney general can begin enforcing the CCPA six months after regulations are finalized or on July 1, 2020, whichever is sooner. Id. § 1798.185(c). It is very unlikely that the California AG will release final regulations before January 1, 2020, so the law's enforcement date will likely be July 1.
Nevertheless, businesses need to take steps to comply with the CCPA now because enforcement can be retroactive to January 1, and noncompliance can be costly. Intentional violations of the law can lead to fines as high as $7,500 per violation. Cal. Civ. Code § 1798.155(b). And the CCPA provides a private right of action to "any consumer whose nonencrypted and nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information." Id. § 1798.150(a)(1).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.