Over the past year, we have continued to see a shift in the privacy landscape in the United States, including the passage of comprehensive privacy legislation in Virginia and Colorado. , while other states still have bills pending. At the federal level, dozens of privacy-related bills have been proposed to Congress. These bills seek to address contact tracing, COPPA amendments, financial privacy, social media privacy, and biometric surveillance by the federal government. Several comprehensive federal privacy bills have also been introduced in the 117th Congress. In this series of articles, we examine comprehensive federal bills proposed last year and compare their provisions to those of the current California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”). , which goes into effect January 1, 2023. See our previous article in this series on HR 1816 here.

Consumer Data Privacy and Security Act of 2021 (S. 1494)

S. 1494, or the Consumer Data Privacy and Security Act of 2021, was introduced by Senator Jerry Moran of Kansas on April 29, 2021, and was referred to the Senate Commerce, Science, and Transportation Committee. As of this writing, there are no other co-sponsors and no further action has been taken.

The proposed law requires that a “covered entity…only collect or process an individual’s personal data if” (1) the covered entity has obtained express or implied consent to process the data for a specific purpose, or (2) the collection is “in accordance with a permitted purpose” under the proposed law. Express consent – ​​obtained for the processing of sensitive personal data (discussed below) and certain other disclosures – requires unmistakable affirmative action. Implied consent, of course, does not require affirmative action – consent is implied if, after receiving notice and a reasonable time to respond, the person does not refuse the relevant request. A covered entity, such as a “company” under the CCPA and CPRA (or a “controller” under the GDPR), is an entity that “determines the purpose and means of the collection or processing of personal data”. However, unlike the various CCPA or CPRA thresholds, an entity covered here is either an FTC entity, subject to the Communications Act of 1934, or a non-profit organization. Note that the “covered entity” does not include service providers (which are discussed below). Like the CCPA and CPRA, personal data is “information that identifies or is linked or reasonably linked to a specific person”. Information is linked or reasonably linked to an individual if that information can be used to identify the individual, including device-related identifiers such as IP address. “Personal data” includes exclusions such as those found in the CCPA, including employee data, publicly available information, and anonymized data; however, employee data collected as part of a B2B transaction is not processed.

As noted above, consent is not always required by the proposed law. A third party (a non-affiliated covered entity) that obtains personal data may collect or process that data without consent if, for example, “the covered entity from which the third party received the personal data” informed the individual that the data would be disclosed. to a third party and the purposes of such disclosure, and the individual has consented to the disclosure or processing in question. Consent is also not required if the collection or processing of personal data is reasonably necessary and limited to certain listed purposes, including the provision of services or the performance of a contract, compliance with the law, security data or research.

As noted above, express affirmative consent is required to collect or process an individual’s sensitive personal data. Similar to the definition in HR 1816 and the CPRA, sensitive personal data includes expected categories of data such as unique government identifiers (e.g. SSN), biometric information, content of certain electronic communications, certain medical information and financial, race, religious beliefs, sexual orientation, precise geolocation data, and other data deemed sensitive by FTC regulations. There is also a data minimization requirement for sensitive personal data that limits how long a covered entity or service provider can retain that data or keep it in an identifiable format.

Implied and express consent require notice, which must be concise, meaningful and easy to understand, and must include, as the CCPA and CPRA do, the types of personal data collected, the purposes for which the data is collected or processed, and how an individual can exercise their rights. These rights include the right to withdraw consent at any time, the right to know (which is similar to privacy policy requirements under the CCPA and CPRA), and individual control rights such as access rights. , portability, accuracy, correction (which is new to CPRA) and deletion (with restrictions).

The bill also requires a comprehensive data security program with reasonable safeguards, depending on the nature and scope of the entity’s activities, data sensitivity and security incident risks. If certain thresholds are met, the proposed law also requires a privacy officer and a comprehensive privacy program.

Like the CCPA and CPRA, personal data may only be disclosed from a covered entity to a service provider under a binding contract, and the contract must have purpose restrictions. Service Providers are also, among other things, required to cooperate with Covered Entities to ensure that Covered Entities respond to Individuals’ Rights Requests.

Violations of the proposed law are considered unfair or deceptive trade practices, and enforcement is delegated to the FTC. In recognition of this new authority, the bill expands the FTC’s workforce by providing for the appointment of at least 440 new employees. State attorneys general can also enforce the proposed law, but there is no private right of action. There is a broad pre-emptive clause that overrides all state privacy and security laws, except that the proposed law would not preempt state data breach notification laws – insofar as state law is not inconsistent with the proposed law. And the proposed law is not expected to affect a number of federal laws such as the Health Insurance Portability and Accountability Act (“HIPAA”), the Education Rights Act, and Family Privacy. of 1974 (“FERPA”) or the Gramm-Leach-Bliley Act (“GLBA”).

With respect to foreign data privacy laws, the bill directs the Secretary of Commerce, in consultation with the FTC and other relevant agencies, to engage with foreign authorities regarding their data privacy regimes and develop mechanisms to deal with cross-border transfers of personal data. This, of course, is already happening in the context of GDPR with the EU-US Privacy Shield 2.0 negotiations.

About The Author

Related Posts