GOP Federal Privacy Bill Would Supersede CCPASen. Roger Wicker Seeks Single Set of National Requirements
After several moves by Democrats to introduce federal privacy legislation, Republican Senator Roger Wicker of Mississippi on Tuesday unveiled a draft consumer privacy bill, the United States Consumer Data Privacy Act of 2019, that would override various state laws on privacy, including the California Consumer Privacy Act.
Wicker claims that compared with California's law, which goes into effect in January, his proposed federal legislation has more detailed consumer protections, covers more companies and has more explicit requirements that companies collect the minimum amount of personal data needed for their purpose, according to Reuters.
Last week, U.S. Sen. Maria Cantwell, D-Wash., introduced another federal privacy bill, the Consumer Online Privacy Rights Act, which intends to expand the rights of individuals when it comes to how their personal data is collected, shared and used. Unlike Wicker's bill, however, Cantwell's would not pre-empt state privacy laws, including CCPA.
Wicker says he's willing to negotiate with Cantwell and other Democrats on the details of a national privacy bill. "[Democrats] need to decide if they want a bill, if they would like to continue negotiating in good faith or whether we are going to abandon this over plaintiffs' lawyers," Wicker told Reuters.
Earlier in November, two Democratic members of the U.S. House proposed a national privacy law that calls for the formation of a new federal agency to enforce privacy rights. And in October, Sen. Ron Wyden, D-Ore, introduced the Mind Your Own Business Act that proposes to expand the FTC's authority to regulate data collection.
GOP Bill's Provisions
Wicker's legislation, which would take effect two years after the date of enactment, would pre-empt all state privacy laws in order to avoid "a confusing patchwork of state measures." The bill would place enforcement authority in the hands of both the Federal Trade Commission and state attorneys general. Although the legislation does not provide for a private right of action, Wicker says he would consider adding such a provision.
The bill would require organizations that collect consumers' data to describe the processing purpose of a data, offer a detailed description of data retention practices and describe data security practices.
The bill proposes that an individual will have the right to access information within 45 days of submitting a request. Moreover, the bill proposes that an individual can exercise these rights twice in a year free of charge.
The legislation would require companies to obtain "affirmative consent" from consumers before selling their data or using it for a purpose different from what was initially intended.
The bill also would require organizations to implement several internal practices to protect their data, including data security policies and practices and data minimization. It would promote corporate accountability by requiring companies to designate privacy officers and data security officers to coordinate policies and practices on processing data and facilitate compliance.
The legislation also would create whistleblower protections to ensure that organizations do not punish employees who come forward about possible violations of the law.
Last month, Microsoft said it will apply the core rights of the California Consumer Privacy Act across all its customers in the U.S. But a number of organizations, including Microsoft, have backed development of a national privacy law.