Federal Consumer Data Privacy and Security Act Overview
Senator Jerry Moran (R-Kan) recently re-introduced the Consumer Data Privacy and Security Act, after the last Congress did not enact his previous version. Senator Moran’s latest bill proposes to nationalize data security requirements and establish a federal standard for consumer data privacy rights. In so doing, it tracks aspects of the California Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR). Highlights include:
Pre-emption. The bill pre-empts state law.
Covered Entities. The bill would apply to any entity that alone, or jointly with others, determines the purpose and means of collecting or processing personal data and is subject to either the Federal Trade Commission’s (FTC) jurisdiction or the Communications Act of 1934, as amended. This definition includes nonprofit organizations.
Data Covered. ‘‘Personal data,” which means information that identifies or is “linked or reasonably linkable to a specific individual.” This definition includes device-level identifiers. However, it does not include de-identified or encrypted data.
Notice and Consent. Under the bill, a covered entity could not collect or process an individual’s personal data unless the individual consented for a specific purpose or in accordance with a permissible purpose.
Privacy Policy. Covered entities would have to publish a privacy policy. The policy would include descriptions of the personal data collected and the purposes of collection and processing, as well as the applicable retention period.
Individuals’ Control of Data. The bill would require covered entities to provide individuals the means to access, correct, and erase their personal data at no cost. However, the bill does not require “small businesses,” as defined therein, to provide a right to access or correct personal data
Security. The bill would require covered entities and service providers to develop, document, implement, and maintain a comprehensive data security program designed to protect personal data from unauthorized access and related harmful disclosures. A data security program required would have to:
Include a designated employee responsible for managing the safeguards;
Be designed to identify material internal and external risks to the security and confidentiality of the personal data handled by the entity;
Implement safeguards designed to control the risks identified in its risk assessments while regularly assessing the effectiveness of the safeguards;
Maintain reasonable procedures to ensure that service providers and third parties to whom the personal data is transferred have similarly effective safeguards; and
Maintain reasonable flexibility to adjust the safeguards in light of any material changes in technology and business arrangements.
Privacy Requirements. Entities that collect and process the personal data of more than 20 million individuals or the sensitive personal data of more than 1 million individuals would be required to hire a privacy officer and conduct periodic privacy assessments.
Service Provider Rules. The bill would require any covered entity that contracts with a service provider through which it discloses personal data to take steps to ensure that the service provider is complying with this law. The bill aso lists specific requirements for any such contract.
Enforcement. The bill would grant enforcement authority to the FTC and states attorneys general. The bill would also give the FTC rulemaking authority to implement the law. The bill does not provide a private right of action.
The full text of the bill is here.