Proposed Privacy Bill Would Bolster FTC Enforcement Authority
Legislation was recently introduced in the Senate that would significantly bolster the Federal Trade Commission’s authority to enforce privacy and data security laws, and preempt the patchwork of presently existing data privacy regimes.
Intended to address those that utilize, process and benefit from consumer data in “unfair and deceptive ways,” the Consumer Data Privacy and Security Act was introduced in March 2020 by Sen. Jerry Moran and is one of a number of privacy bills recently introduced in Congress. Rather than creating an independent Data Protection Agency, as recently proposed by Senator Kristen Gillibrand, the Act would add more than 400 employees to the FTC’s workforce and mandate that companies implement comprehensive data security programs.
The Act would require companies collecting personal data to provide notice, to obtain consumer consent, to permit consumers to know what data is collected and correct inaccuracies, and to request data deletion. The Act would impose CDPSA imposes an ongoing duty of due diligence of service providers on covered entities, which could be quite a resource-heavy endeavor.
The Act would preempt state and local laws related to the privacy or security of personal data. However, a number of laws that do not conflict with the Act would not be preempted, including, but not limited to, data breach notification laws, criminal or civil procedure and general standards of fraud or public safety. Also exempt, without limitation, would be the Children’s Online Privacy Protection Act, Title V of the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and the Health Insurance Portability and Accountability Act.
Covered entities that qualify as small businesses would be exempt from complying with an individual consumer’s right to access and rights to accuracy and correction.
The Act requires covered entities to clearly and conspicuously disclose privacy policies which must be drafted in “easy-to-understand” language. Interestingly, the Act requires covered entities to make prior versions of privacy policies publicly available, and provide direct notice of any material changes to its privacy policy.
Violations would be considered unfair or deceptive acts under Section 5 of the FTC Act subject to penalties calculated by the number of individuals affected by a violation multiplied by an amount not to exceed $42,530. Several factors would be considered in determining the amount of the civil penalty.
State Attorneys General could also bring civil actions. No private right of action is provided for under the bill, perhaps in order to curb abusive private litigation.
Whether or not the Act is ultimately passed, stricter privacy regulations in the U.S. are most likely inevitable.
Richard B. Newman is an FTC lawyer and advertising practices attorney. Follow him on Twitter @FTC defense lawyer.
Informational purposes only. Not legal advice. May be considered attorney advertising.