On March 13, 2020, Senator Jerry Moran (R-Kansas), Chairman of the Senate Commerce Subcommittee on Consumer Protection, introduced the “Consumer Data Privacy and Security Act of 2020” (the “CDPSA”). The CDPSA joins several other proposed pieces of federal legislation in vying to create an overarching, federal data-privacy framework. Generally, the CDPSA is consistent with the current data-privacy legal frameworks and integrates themes from the CCPA and GDPR and also learned from some of their shortfalls (e.g., the CDPSA excludes employee data from the definition of personal data). On the spectrum of business-friendliness, the CDPSA is more favorable to small and midsize businesses rather than the CCPA and GDPR for several reasons, some of which are discussed below. Perhaps the most significant being the favorable thresholds established by the CDPSA for qualification as a “small business” and the absence of a private right of action. The CDPSA provides for similar individual rights and protections as the CCPA and GDPR but attempts to reduce the burden on small and midsize businesses by exempting “small businesses” from certain compliance obligations (e.g., small businesses are not required to comply with an individual’s rights to access, accuracy, or correction).
The following are our Top 10 highlights of the CDPSA:
1. Small Business. The definition of “Small Business” is favorable to small and midsize businesses because the qualification thresholds are higher than the CCPA: <500 employees (CCPA: N/A); <$50 Million in average gross receipts for the previous 3 years (CCPA: >$25 Million, no year requirement); processes personal data of <1 Million individuals (CCPA: N/A). Also, the 500 employee requirement, especially benefits small businesses because it does not penalize them for being successful. However, the CDPSA imposes an ongoing duty of due diligence of service providers on covered entities, which could be quite a resource-heavy endeavor.
2. No private right of Action. FTC or State Attorneys General may bring civil enforcement actions under the CDPSA to: (1) enjoin the violative practice, (2) enforce compliance with the CDPSA or regulations, or (3) impose a civil penalty (in addition to any injunctive relief) for actual-knowledge violations of the CDPSA or regulations. The civil penalty shall be the number of individuals affected by a violation multiplied by an amount not to exceed $42,530. The CDPSA establishes several factors to be considered in determining the amount of the civil penalty.
3. Express preemption of state law. The CDPSA expressly preempts state and local laws related to the privacy or security of personal data. However, the following state and local laws shall not be preempted to the extent such laws do not conflict with the CDPSA: (1) data breach notification laws, (2) criminal or civil procedure, (3) general standards of fraud or public safety, (4) laws that address the privacy of any group of students as defined in FERPA, (5) employment laws, including laws governing employment-related data; or (6) laws protecting the right of individuals to be free of discrimination based on race, sex, national origin, or other suspect classification identified under state law.
4. Express preemption of federal law (sort of). The CDPSA expressly preempts federal statutes and regulations related to the privacy or security of personal data. However, the following federal laws are exempt: (1) The Children’s Online Privacy Protection Act (“COPPA”), (2) Communications Assistance for Law Enforcement Act, (3) Section 227 of the Communications Act of 1934, (4) Title V of the Gramm-Leach-Bliley Act (“GLBA”), (5) The Fair Credit Reporting Act, (6) The Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”), (7) The Family Educational Rights and Privacy Act (“FERPA”), (8) Electronic Communications Privacy Act, (9) The Driver’s Privacy Protection Act of 1994, and (1) the Federal Aviation Act of 1958. A covered entity required to comply, and in compliance, with the aforementioned federal laws is deemed compliant with the CDPSA.
5. Federal Trade Commission. The CDPSA designates the FTC as the federal agency in charge of administering the CDPSA and grants its rule making authority and provides a mechanism for additional personnel and resources to assist with administering the CDPSA.
6. Exceptions for small businesses. Covered entities that qualify as small businesses are exempt from complying with an individual’s right to access and rights to accuracy and correction. The CDPSA includes an exception for service providers that qualify as small businesses that considers and takes into account, the technical feasibility of any requirements imposed on such small business, service provider in determining any penalty for violations of the CDPSA.
7. Consent. The CDPSA establishes two standards of consent: (1) implicit consent, where an individual is deemed to have provided consent to collection or processing of personal data if she did not decline the request after provided with notice and a reasonable amount of time has passed, and (2) express affirmative consent, where collection or processing involves sensitive personal data or the disclosure of personal data to a third party is not for the covered entity’s permissible purpose. To be valid, express affirmative consent must be: (1) clearly, prominently, and unmistakably stated, (2) in response to a notice and request to collect or process personal data, and (3) cannot be inferred from inaction.
9. Processing of Personal Data. The CDPSA establishes two ways a covered entity (and its service providers) may collect or process personal data: (1) the individual provides consent, or (2) such collection or processing is done for a Permissible Purpose. A third party may collect or process personal information without directly obtaining an individual’s consent if: (1) the covered entity disclosing such personal data: (a) provided the individual with notice and specific purpose of the third-party collection or processing and (b) the individual consented to the collection or processing; or (2) the third-party collection or processing is done for the third party’s limited permissible purpose.
10. Permissible Purpose. Covered entities and service providers may collect or process personal data without an individual’s consent to the extent reasonably necessary and limited to a defined Permissible Purpose. Compared to the GDPR’s lawful bases, the CDPSA’s enumerated Permissible Purposes seem broader and more practical. The CDPSA establishes the following Permissible Purposes: (1) provision of service or performance of a contract; (2) compliance with laws; (3) to prevent immediate danger to the personal safety of any individual (including to effectuate a product recall); (4) to prevent fraud and protect the security of the covered entity’s, service providers’, or individual’s rights, property, services, or information systems; (5) research performed by the covered entity or service provider (at the direction of the covered entity); and (6) the covered entity’s or service provider’s operational purposes. Operation purposes include internal operations (e.g., billing, website maintenance, financial reporting); short-term, transient use; marketing or advertising; to improve products and services; and any additional specific purposes defined by the FTC.
While Congress has yet to choose which proposed federal privacy legislation, if any, should move forward, it is clear that the drafters of the CDPSA are in touch with the key trends in the privacy industry, including the grant of robust privacy rights to consumers and imposing substantial penalties for entities violating such rights and learning from the shortfalls of the current framework of privacy laws. Overall, the CDPSA attempts to strike a balance between the protections afforded to consumers by the GDPR and CCPA and costs of compliance for small to medium- sized businesses. We will continue to track the CDPSA as it makes its way through the legislative process.