Heading into the new year, California Consumer Privacy Act (“CCPA”) readiness remains top of mind for many businesses, especially as continued developments, such as the California Attorney General’s forthcoming implementing regulations, may implicate compliance efforts. State legislation will likely move forward in 2020. At the same time, however, companies should not lose sight of legislative proposals at the federal level, which have the potential to reshape the privacy landscape in the United States and even preempt state laws such as the CCPA. The question of whether a federal privacy bill can pass in 2020 remains an open one. But regardless of whether a bill will actually pass, the legislative proposals that are emerging this year likely will shape the contours of federal legislation that could move toward becoming law.
Although the issues of preemption and a private right of action dominated the federal privacy conversation last year, four legislative trends emerged in 2019 that also may become key components of a federal privacy framework:
- Expansive Definition of Sensitive Data: Several federal bills introduced in 2019 utilized broad definitions of sensitive data that include biometric information, precise geolocation information, and/or certain device and messaging data. Notably, although some of these bills identify web browsing history as sensitive data, only Senator Maria Cantwell’s (D-WA) Consumer Online Privacy Rights Act (“COPRA”) sweeps in “information revealing online activities over time and across third-party website or online services” as part of its definition. How sensitive data is defined may be critical in a future federal privacy bill, as legislation proposed thus far has often required some form of heightened consent before such data may be processed or transferred.
- Anti-Discrimination Protections: Discriminatory processing and algorithmic bias were major issues in 2019, which several bills attempt to address through anti-discrimination protections and/or algorithmic accountability requirements. For instance, Senator Cantwell’s COPRA prohibits the processing of personal data on the basis of protected characteristics in specific contexts (e.g., housing and employment determinations), and requires annual impact assessments for certain algorithmic decision-making processes. Taking a different approach, Senator Roger Wicker’s (R-MS) draft of the U.S. Consumer Data Privacy Act would require the FTC to develop guidance on algorithmic transparency and cooperate with government agencies that enforce anti-discrimination laws. These bills highlight both lawmakers’ concerns over algorithmic bias and discrimination, and the myriad ways that they may approach these issues.
- Portability: Although federal privacy discussions often focus on individual rights of access, correction, and deletion, a plethora of proposals have indicated that a future privacy framework likely will include a right to portability. However, what data this right should cover may be an area of contention, as legislative proposals appear to diverge on whether ported data should be limited to the information that an individual provides to an entity or include additional types of information (e.g., personal information collected from other sources).
- CEO Certification Requirements: Lastly, lawmakers also proposed requirements for CEOs and/or privacy and data security officers to annually certify compliance with their bills to a government agency (e.g., the FTC). Two of these bills, Senator Ron Wyden’s (D-OR) Mind Your Own Business Act and Senator Josh Hawley’s (R-MO) National Security and Personal Data Protection Act of 2019, impose penalties on individuals that violate these requirements. These bills suggest that a federal privacy bill may include specific requirements and penalties for executive officers among its accountability mechanisms.