Senator Roger Wicker (R-Miss), the Commerce Committee Chair, presented a draft copy of the United States Consumer Data Privacy Act of 2019 (CDAP). CDAP is a federal data privacy bill meant to substitute the patchwork of state privacy regulations in the U.S. It will make sure that the same rights and privacy protections are given to all U.S. citizens irrespective of where they reside. Should the bill pass, it is going to override state privacy regulations, which include the California Consumer Privacy Act (CCPA) which is about to become effective starting January 1, 2020.
CCPA provides California residents with new privacy rights and has been compared to EU’s General Data Protection Regulation, although with fewer security prerequisites for organizations. Just like GDPR, CCPA makes it possible for consumers to know which of their information a company holds and who gets to know their data. It additionally features a private cause of action, thus consumers can sue businesses that violate the CCPA. CCPA, nonetheless, only applies to specific companies: those having income over $25 million, those that retain the information of at least 50,000 people, and those that collect over half of their income from selling personal information.
Sen. Wicker’s CDAP goes beyond CCPA since it is going to apply to a wider array of businesses. It likewise goes in-depth regarding the protections that should be available to take care of consumers. CDAP requires companies to publish straightforward privacy policies that cover the collection, usage, and disclosure of personal information, which include explanations of the reason for collecting the data, its retention period, and information on the company’s security procedures.
CDAP enables consumers to know which of their information a company has and know who else gets their data. Companies will be expected to give access to the data without charge twice a year and give the requests in just 45 days.
Permission to collect personal information must be acquired from consumers with an affirmative action prior to using the data for other purposes not specified in a company’s privacy procedures, and likewise prior to selling any personal data. Sen. Wicker’s CDAP doesn’t include a private cause of action, hence consumers cannot take legal action for COPR violations.
Just like HIPAA, CDAP likewise has a ‘minimum necessary’ provision that requires businesses to limit data collection to the minimum amount required to accomplish its purpose of collection. CDAP would additionally require businesses to enforce security measures to secure personal information, follow security guidelines, and apply data minimization. The same as GDPR, companies will need to assign privacy and security officers to manage compliance and create and execute privacy policies and practices.
Sen. Wicker’s CDAP is just one of two national privacy regulations introduced lately. The other bill is Sen. Maria Cantwell’s (D-Wash) Consumer Online Privacy Rights Act (COPRA). COPRA likewise offers consumers the right over their personal information and features GDPR-type of protections.
Even though Sen. Wicker’s bill lines up with Cantwell’s, COPRA doesn’t pre-empt state regulations. The Republican camp is willing to create new legislation that would replace the present patchwork of state privacy regulations, however, the Democrats do not wish to replace state laws, which might give more consumer protections.
Sen. Wicker’s CDAP and Sen. Cantwell’s COPRA were reviewed on December 4, 2019’s Senate Commerce Committee hearing. Although the two Sens. agreed to the necessity of a bipartisan privacy bill and its enforcement by the FTC, they have not agreed on what should be included in the bill. Should there be a private cause of action or should the federal privacy law preempt state privacy laws, for instance, the New York Privacy Act and the CCPA?