Legal Sidebari Watching the Watchers A Comparison of Privacy Bills in the 116th Congress April 3 2020 As a growing number of states enact or consider consumer privacy protection measures many in Congress are pushing for a comprehensive federal consumer privacy framework In 2019 both the Senate Committee on Commerce Science and Transportation and the House Energy and Commerce Committee’s Subcommittee on Consumer Protection and Commerce held hearings on protecting consumer privacy And in the last few months Members of Congress have introduced four consumer privacy bills and circulated discussion drafts of two additional proposals       H R 4978 the Online Privacy Act of 2019 introduced by Representatives Anna Eshoo and Zoe Lofgren on November 5 2019 The United States Consumer Data Privacy Act of 2019 “USCDPA Draft” a discussion draft circulated by Senator Roger Wicker on November 27 2019 S 2968 the Consumer Online Privacy Rights Act introduced by Senators Maria Cantwell Brian Schatz Amy Klobuchar and Ed Markey on December 3 2019 An untitled December 18 2019 discussion draft “E C Draft” from the House Energy and Commerce Committee spearheaded by Representatives Cathy McMorris-Rodgers and Jan Schakowsky S 3300 the Data Protection Act of 2020 introduced by Senator Kirsten Gillibrand on February 13 2020 and S 3456 the Consumer Data Privacy and Security Act of 2020 introduced by Senator Jerry Moran on March 12 2020 Five of the six proposals—H R 4978 S 2968 S 3456 and the two discussion drafts—take similar approaches Although details vary somewhat from bill to bill each regulates the use of personal information by 1 recognizing individuals’ rights to control their personal information 2 requiring a defined class of entities to take steps to respect those rights and 3 creating procedures to enforce those requirements The five proposals differ however in three key respects 1 which federal agency would have enforcement power 2 whether to preempt state privacy laws and 3 whether to provide a private right of action The sixth bill S 3300 takes a different approach it would create a new agency vested Congressional Research Service https crsreports congress gov LSB10441 CRS Legal Sidebar Prepared for Members and Committees of Congress Congressional Research Service 2 with the power to enforce existing federal privacy laws and authorize that agency to issue broadly applicable privacy regulations This Sidebar highlights the main components of and key differences between these proposals before identifying several issues for the 116th Congress Main Components The six proposals share a number of components Each bill defines the type of information it would protect covered or personal information or data in similar terms with most including information that is linked or reasonably linkable to an individual Many of the proposals the USCDPA Draft S 2968 the E C Draft and S 3456 would provide additional protections for sensitive information including government-issued identification numbers financial account numbers health records biometric data and geolocation data Likewise each bill specifies the type of entities it would cover though the breadth of this coverage varies S 2986 would cover only entities or persons subject to the Federal Trade Commission Act excluding small businesses Conversely S 3300 would apply to any “person” which under existing law would include corporations and other businesses “that collects processes or otherwise obtains personal data with the exception of an individual processing personal data in the course of personal or household activity ” Some bills H R 4978 S 2968 S 3456 would exempt certain types of entities in whole or in part such as small businesses and entities engaged in journalism In addition some bills the USCDPA Draft S 2968 S 3300 would impose additional restrictions on large data holders that exceed certain revenue thresholds or process the covered information of a specified number of individuals The six proposals also specify which agency would be responsible for enforcing the new laws offering two main approaches Most bills would either vest the Federal Trade Commission with enforcement authority the USCDPA Draft S 3456 or create a new bureau within that agency S 2968 E C Draft Two bills however—H R 4978 and S 3300—would create new agencies to oversee privacy requirements Individual Rights and Covered Entities’ Duties Five of the proposals—H R 4978 S 2968 S 3456 and the two discussion drafts—take a similar substantive approach creating protections for covered information that are enumerated as individual rights and covered entity duties Although each bill uses different terminology—certain protections appear as rights in some bills and duties in others—and would recognize a slightly different set of rights and duties some protections are common to all five proposals Table 1 identifies selected protections under each of these five proposals First each of these five proposals H R 4978 S 2968 S 3456 and the two discussion drafts would recognize a core set of individual rights with respect to covered information held by covered entities The right of access would give individuals the right to view their covered data held by covered entities a list of third parties to which that data had been transferred and the purposes of any such transfers The right of deletion would allow an individual to request that covered entities delete or under some bills deidentify any of that individual’s covered information with some exceptions The right of correction would give individuals the ability to correct—or require a covered entity to correct—inaccurate information The right of portability would require covered entities to provide individuals on request with copies of their data free from any restrictions on use And the right of information also called the right of transparency or the right to know would require a covered entity to provide individuals with copies of the entity’s privacy policy as well as any updates to the privacy policy Congressional Research Service 3 Second each proposal would create notice and consent requirements for how covered entities would use covered information Under these requirements a covered entity would have to notify an individual when it intends to collect or transfer information The entity would then have to ask the individual for affirmative consent opt in or give the individual a chance to opt out of the collection or transfer Finally each of these five proposals would require covered entities to limit how they collect and use covered information and to take certain steps to safeguard that information The duty of minimization would limit a covered entity’s collection processing and transfer of covered information to no more than it reasonably needs to provide the product or service that an individual requested Complementing that duty covered entities would be required to safeguard covered information in their possession by implementing physical security and cybersecurity policies Table 1 Selected Protections in Pending Privacy Legislation H R 4978 USCDPA Draft S 2968 E C Draft S 3456 Right of Access § 101 § 103 a 1 A § 102 a § 5 a 2 § 5 b Right of Correction § 102 § 103 a 1 B § 104 § 5 a 3 § 5 c Right of Deletion § 103 § 103 a 1 C § 103 § 5 a 5 § 5 d Right of Portability § 104 § 103 a 1 D § 105 a — § 5 b 2 B Right of Information § 107 § 102 § 102 b § 3 a 1 §4 Notice Requirements §§ 212 a 213 § 102 § 102 b § 3 a 1 § 3 b 2 Opt-Out Consent § 212 b 2 § 104 d § 105 b § 6 c § 3 b 1 A Opt-In Consent § 212 b 1 § 104 a § 105 c § 6 d § 3 b 1 B Minimization § 201 § 105 § 106 § 7 a 1 § 3 d Data Security § 214 § 204 § 107 §9 §6 Source CRS using information from H R 4978 the USCDPA Draft S 2968 the E C Draft and S 3456 An Alternative Approach S 3300 Compared to the other five proposals S 3300 would take a markedly different approach it would not impose any new privacy obligations on covered entities Instead the bill would centralize all privacy oversight and enforcement responsibilities for existing sector-specific laws—such as Title V of the Gramm-Leach Bliley Act Pub L No 106-102 and the Children’s Online Privacy Protection Act of 1998 Pub L No 105-277 —in a new Data Protection Agency S 3300 would also authorize the agency to issue regulations to prevent “unfair or deceptive act s or practice s in connection with the collection disclosure processing and misuse of personal data ” Key Differences Although the bills are similar in many respects they contain two major areas of divergence that may make it difficult for Congress to reach consensus whether to include a private right of action and whether to preempt state law Two of the bills—H R 4978 and S 2968—would provide a private right of action for an individual to challenge in court a covered entity’s collection or use of that individual’s covered information For a discussion of the constitutionality of private rights of action in this space see CRS Legal Sidebar Congressional Research Service 4 LSB10303 Enforcing Federal Privacy Law—Constitutional Limitations on Private Rights of Action coordinated by Chris D Linebaugh Both bills would also allow an individual to seek damages for harm caused by the covered entity’s use of the individual’s information In contrast three bills—the USCDPA Draft S 3300 and S 3456—would not create a new private right of action instead relying on the oversight agency and state attorneys general to enforce the bills’ provisions The E C Draft includes a placeholder heading for private rights of action without any specific requirements Similarly the proposals are split on whether to preempt state privacy laws expressly such as the California Consumer Privacy Act CCPA For more information on preemption see CRS Report R45825 Federal Preemption A Legal Primer by Jay B Sykes and Nicole Vanatko for a discussion on the CCPA see CRS Legal Sidebar LSB10213 California Dreamin’ of Privacy Regulation The California Consumer Privacy Act and Congress coordinated by Eric N Holmes Two of the bills—the USCDPA Draft and S 3456—would expressly preempt state law though S 3456 contains a number of exceptions for state laws that relate to other federal sector-specific privacy laws such as the Gramm-Leach Bliley Act and the Health Insurance Portability and Accountability Act of 1996 Pub L No 104-191 Two of the bills—S 2968 and S 3300—would explicitly preserve state laws and would only preempt state laws to the extent they conflict with those bills Finally neither H R 4978 nor the E C Draft states whether they would preempt or preserve state laws The E C Draft again has a placeholder heading Table 2 summarizes these differences Table 2 Major Differences in Pending Privacy Legislation H R 4978 USCDPA Draft Private Right of Action Yes § 407 State Law Preemption Not specified S 2968 E C Draft S 3300 S 3456 No Yes § 301 c Not specified No No Yes § 404 Only direct conflicts § 302 c Not specified Only direct conflicts § 10 a Yes with exceptions § 10 a Source CRS using information from H R 4978 the USCDPA Draft S 2968 the E C Draft S 3300 and S 3456 Issues for the 116th Congress Although the proposals are similar in many respects they differ in key ways including whether the new federal laws would preempt state law and whether individuals would have a private right of action to enforce the law As several news outlets have discussed these “key sticking point s ” make it “unclear if there is any path forward for privacy legislation ” A dispute over whether to include a private right of action has prevented the passage of Washington State’s privacy bill and disagreement on this point could lead to a similar result in Congress The preemption issue relates to a more time-sensitive concern whether Congress seeks to guide the national debate on privacy laws rather than respond to it California is working to implement the CCPA and more than a dozen states continue to develop their own privacy legislation Until Congress provides direction through a federal bill—whether or not it preempts state law—it seems likely that states will develop a patchwork of laws that may be inconsistent and difficult for businesses to navigate Some Members have indicated that there is room for continued negotiation though others seem less hopeful Ultimately unless Congress comes to an agreement on these two core issues it may be unlikely that any of these proposals will gain traction Congressional Research Service 5 Author Information Jonathan M Gaffney Legislative Attorney Disclaimer This document was prepared by the Congressional Research Service CRS CRS serves as nonpartisan shared staff to congressional committees and Members of Congress It operates solely at the behest of and under the direction of Congress Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role CRS Reports as a work of the United States Government are not subject to copyright protection in the United States Any CRS Report may be reproduced and distributed in its entirety without permission from CRS However as a CRS Report may include copyrighted images or material from a third party you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material LSB10441 · VERSION 1 · NEW