The California Consumer Privacy Act (CCPA) has forced companies across the United States (and even globally) to seriously consider how they handle the personal information they collect from consumers. By its terms, however, the CCPA only protects the privacy interests of California residents; other "copy-cat" privacy laws proposed or enacted in other states similarly would only protect the rights of residents of each state. Given the burden on businesses imposed by the rapid proliferation of privacy and data protection laws, including data breach notification obligations, requirements for data transfer mechanisms imposed by international data protection laws (such as the EU General Data Protection Regulation (GDPR)), and the imposition of a variety of data subject rights, a comprehensive US federal privacy bill appears increasingly overdue.
In the past year, US legislators have proposed a wide variety of data privacy lawsnone of which seems to have gained significant traction. In November 2019, two new proposals were released in the Senate: the Consumer Online Privacy Rights Act (COPRA), sponsored by Senate Democrats, and the United States Consumer Data Privacy Act of 2019 (CDPA), proposed by Senate Republicans. Both proposals require covered entities to:
Obtain affirmative express consent from individuals prior to processing sensitive covered data; Provide transparent privacy policies; Maintain reasonable data security practices; Conduct privacy/risk assessments; and Provide individuals rights to access, correction, deletion and data portability. While enforcement under both proposals is brought by the Federal Trade Commission (FTC), COPRA also allows for individual private right of action while the CDPA does not. Another key difference is that the CDPA preempts state data privacy and security laws (except data breach notification laws), whereas COPRA leaves state laws in place to the extent they afford greater protection.
In December 2019, the House Energy & Commerce Committee negotiated a bipartisan discussion draft on federal privacy regulation. The proposed law would establish a new administrative unit within the FTC called the Bureau of Privacy to administer and enforce the law. The discussion draft requires covered entities to:
Establish a privacy program with designated privacy protection officers; Provide individuals the right to access, delete and correct their information; Abide by requirements derived from principles of...