The EU General Data Protection Regulation (GDPR) came into effect on the 25th of May 2018. Shortly afterwards, the EU data protection authorities received more than 95,000 complaints from citizens. EU consumers became more willing to transact with EU businesses because they have the legal means to enforce their privacy rights. Thus, the enhanced privacy protection provided by the GDPR benefits both consumers and businesses in the EU. (To learn more about the GDPR, see GDPR: Do You Know if Your Organization Needs to Comply?)
The U.S. still lags behind the EU with regard to privacy protection. Despite a few federal privacy laws covering particular industry sectors and a number of state privacy laws, the U.S. does not have a federal privacy law that provides consumers with strong privacy protection throughout the entire country. This threatens the economic development of the U.S. economy which is the largest in the world.
In this article, we examine a number of recent developments indicating that the U.S. may soon adopt a federal consumer privacy law and provide our predictions about the nature of the new law. At the end of the article, a conclusion is drawn.
An Overview of U.S. Privacy Developments
In April 2018, The Guardian announced that the data consultancy firm Cambridge Analytica collected and used data from about 87 million Facebook profiles, without the consent of the respective users. The majority of them (70 million) were U.S. based. To collect such a vast volume of data, Cambridge Analytica used an app called thisisyourdigitallife.
A former representative of Cambridge Analytica (Christopher Wylie) stated with regard to the data breach: “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.” The data breach led to a serious public criticism of Facebook. About three-quarters of the U.S. households using the internet became concerned about privacy and security risks. Shortly after the breach was discovered, Mark Zuckerberg, the CEO of Facebook, was requested to testify before the U.S. Congress.
In July 2018, the White House noted that it was intending to work with Congress on “a consumer privacy protection policy that is the appropriate balance between privacy and prosperity.” The Information Technology Industry Council, an organization representing the major tech companies, appreciated the efforts of the White House and stressed that the United States has the opportunity to create a new privacy paradigm for the digital economy and avoid the current patchwork of privacy laws.
Information Transparency & Personal Data Control Act and the Data Care Act
In 2018, U.S. senators proposed at least two data protection bills. First, in September 2018, congresswoman Suzan DelBene introduced a bill called Information Transparency & Personal Data Control Act. It imposes various privacy requirements on companies, including, but not limited to, (i) requirements to provide consumers with privacy policies in “plain English” and (ii) requirements to obtain the consent of consumers before processing their personal information. The bill was reintroduced in 2019.
Second, in December 2018, a group of 15 U.S. senators introduced the Data Care Act. If adopted, the Act will require companies collecting personal data from users to take reasonable steps to protect it. Brian Schatz, a U.S. senator who sponsored the draft law, explained the rationale behind the Act as follows:
“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them.”
In 2019, a new version of the Data Care Act (also known as the Data Care Act of 2019) was introduced in the U.S. Senate. It obliges online service providers to (i) secure personal data from unauthorized access, (ii) refrain from using personal data in a way that will harm the end users, and (iii) avoid disclosing personal data to a third party unless that third party is bound by the obligations imposed by the Act.
The Consumer Online Privacy Rights Act
On the 3rd of December 2019, Sen. Maria Cantwell [D-WA] presentedthe Consumer Online Privacy Rights Act (COPRA) to the U.S. Congress. Its aim is to regulate the processing of information that can identify an individual residing in the U.S or is reasonably linkable to a consumer device. It excludes certain small businesses from the obligation to comply with the Act.
The COPRA requires covered entities to:
- Obtain the consent of data subjects before processing their personal data.
- Use the data only for specific purposes.
- Take reasonable information security measures to protect the data.
- Provide the data subjects (upon their request) with their own personal data.
Allow data subjects to modify and delete their data. In cases when the data to be processed is sensitive personal data, the consent needs to be in the form of express affirmative consent. The CORPA implements the principle of data processing transparency which means that covered entities must publish privacy policies complying with certain requirements.
How Does Data Protection and Privacy Look in 2020?
The Data Protection Act of 2020
On the 13th of February 2020, Sen. Kirsten Gillibrand (D-NY) introduced the Data Protection Act of 2020. If adopted, the bill will lead to the creation of a federal data protection agency which will be responsible for adjudicating consumer privacy-related complaints.
Furthermore, the agency will be able to declare privacy invading practices as deceptive or unfair. The new privacy watchdog will be able to commence civil action against violators of privacy laws and will even be able to fine them up with fines of up to USD 1 million per day. The bill is criticized for providing too much discretion to the executive branch.
Michelle Richardson from the Center for Democracy and Technology warned that years may pass until we understand whether the regime established by the bill will have any meaningful impact on the behavior of corporations.
The Consumer Data Privacy and Security Act of 2020
On the 12th of March 2020, Sen. Jerry Moran [R-KS] introduced the Consumer Data Privacy and Security Act of 2020 (CDPSA). The Act consolidates other pieces of proposed legislation with the aim to create a federal privacy framework.
The CDPSA provides individuals with rights that are similar to those provided by the California Consumer Privacy Act (CCPA) and the GDPR. Subject to certain exceptions, those rights prevail over other state and federal laws. The CDPSA does not create a new federal date protection agency. Instead, it designated the Federal Trade Commission (FTC) as the federal agency in charge of administering the CDPSA.
The CDPSA recognizes two types of consent, namely, implicit consent and express affirmative consent. The second type of consent is required only in cases of collection and processing of sensitive personal data and cases where the disclosure of personal data to a third party does not fall within the scope of one or more permissible purposes which are clearly specified by the CDPSA.
An important feature of the CDPSA is that it exempts certain small businesses from a number of compliance obligations, thus reducing the compliance burden on such businesses. The exempt obligations include, for example, the right of the data subject to access his or her personal data and the right of the data subject to correct his or her personal data.
The CDPSA defines the term “small business” as any covered entity or service provider that cumulatively meets two conditions.
CDPSA first condition
The first condition is that, for the most recent 6-month period, it employs no more than 500 employees and maintains less than $50 million in average gross receipts for the previous 3 years.
CDPSA second condition
The second condition is that the covered entity or service provider collects or processes on an annual basis the personal data of fewer than 1 million individuals; or the sensitive personal data of fewer than 100,000 individuals.
Another characteristic of the CDPSA is that it not only requires covered entities to make their policies in an easy-to-understand language (similarly to the GDPR), but also requires them to make publicly available any previous versions of their privacy policies and provide direct notice of any changes to their privacy policies.
The COVID-19 Consumer Data Protection Act
The COVID-19 Consumer Data Protection Act was introduced on the 7th of May 2020 as a result of various proposals to use mobile devices and other monitoring services to track persons infected with COVID-19. The Act applies mainly to the collection of geolocation, proximity, and health information.
Such data can be processed only after providing the data subject with a prior notice and obtaining his or her express consent. The Act aims to fill the hole in the federal legislation regarding COVID-related practices, such as situations where employers measure the temperature of their employees or track their illness.
Speculations About the Nature of the New Law
Taking into account the success of the GDPR and the trend of individual U.S. states to adopt laws resembling the GDPR, we can expect that the new federal privacy law will also follow the GDPR framework.
This means that it will likely require companies to:
- Collect only data that is strictly necessary for accomplishing legitimate purposes.
- Publish comprehensive privacy policies.
- Ensure that they have legal grounds for processing consumers’ personal data.
- Use the personal data collected from consumers only for specific and limited purposes of which consumers are aware.
- Ensure that consumers can easily manage (e.g., access, edit and delete) their personal data.
- Take up-to-date technological and organizational measures to protect consumers’ personal data.
- Report personal data breaches to the competent data protection authorities.
- Retain consumers’ personal data for a limited period of time only.
- Transfer personal data outside of the U.S. only after implementing appropriate safeguards.
The failure of a company to comply with the requirements of the new law is likely to be subject to heavy fines.
We can expect that the new law will establish one or more federal data protection authorities which will be responsible for enforcing it. The entry of force of the GDPR did not lead to the establishment of new data protection authorities in the EU because such authorities existed even prior to the GDPR.
The previous EU data protection law (Directive 95/46/EC) required each EU country to have one or more public authorities responsible for ensuring privacy compliance. At present, federal privacy matters fall within the ambit of the Federal Trade Commission (FTC), but the complex task of administrating a major federal consumer privacy law will likely require the creation of a new governmental entity. The entity may, for example, be called the Federal Privacy Commission (FPC). (For more on privacy, see 10 Quotes About Tech Privacy That'll Make You Think.)
A new comprehensive U.S. federal privacy law may increase the confidence of consumers in e-commerce, thus further accelerating its growth. Furthermore, it can prevent the regulatory fragmentation caused by various state privacy laws which, in turn, may be an obstacle to interstate commerce. This is because companies based in one U.S. State will need to hire privacy experts in many other U.S. States to ensure compliance with the applicable privacy laws and will incur significant costs with regard to ensuring such compliance.
Since this will hinder the development of the e-commerce which is of utmost importance for the modern economy, it is highly unlikely that the U.S. federal institutions will allow the regulatory fragmentation in the privacy field to last for a long time. Christine Wilson, an FTC commissioner, has recently underlined the need for a federal privacy law by stating “It would have been incredibly helpful to have federal privacy legislation in place as we are navigating these new and incredibly complex issues.”
However, if the new law governs consumer privacy matters in a rather loose manner, it may bring more harm than benefits to the U.S. citizens. This is because it may override some of the strict state privacy laws, such as the California Consumer Privacy Act of 2018. Similarly, the U.S. Federal Arbitration Act prevented states from regulating arbitration agreements.
A survey conducted by Consilio, a global legal services and strategic consulting firm, revealed that most legal professionals believed that the United States will adopt a federal privacy law in 2020.
However, such predictions seem to be overly optimistic because, as indicated above, we can see that, since 2018, there has been an avalanche of proposals for federal privacy laws, and none of them has been adopted yet.