Competing Consumer Data Protections Bills Recently Introduced to Rival Consumer Data Protection Act
We previously analyzed the Consumer Data Protection Act (the “CDPA”), which was introduced by Senator Ron Wyden (D-OR) in November of 2018. The bill, if passed and implemented, would regulate the collection of consumer data by requiring annual data protection reports, granting consumers rights over their personal data, and levying steep fines, along with criminal penalties, against companies that violate the regulations. Since the introduction of the CDPA, other bills have been introduced that rival Senator Wyden’s bill.
In December of 2018, Senator Brian Schatz (D-HI) introduced the Data Care Act (the “DCA”). The DCA does not contain specific regulatory provisions. Rather it states that the Federal Trade Commission would create the regulations. The DCA specifies that the following types of data are subject to the regulations:
- social security numbers
- passport and driver’s license numbers
- military IDs
- financial account numbers or codes
- email addresses
- online logins or passwords
- any information that contains a significant part of a subject’s name in combination with the subject’s full date of birth
- biometric data such as fingerprints, retina scans, or voice prints
The DCA is designed to act as a gap filler for states that do not have consumer data protection laws. The DCA expressly states that the bill will not modify, limit, or supersede current or future data privacy laws at the state or federal level. This could allow states to draft stronger or weaker bills addressing the issue of consumer data protection.
The DCA, however, is not the only bill rivaling the CDPA. The new year also brought about a new bill introduced in mid-January by Senator Marco Rubio (R-FL). That new bill is entitled the American Data Dissemination Act (the “ADDA”). The ADDA was introduced with the goal of protecting consumer data while also ensuring that innovative capabilities of the internet economy will not be limited. The bill will provide straightforward protections that consumers can understand and will be enforced by the Federal Trade Commission. Similar to the DCA, the Federal Trade Commission will draft the regulatory provisions; however under the ADDA, the provisions must be submitted to and accepted by Congress.
The overarching goal of consumer data regulation and protection is common to the DCA, the ADDA, and the CDPA of course. At the same time, these two newer proposed regulations differ from the CDPA as to their restrictions, enforcement, and penalties. The CDPA provides for criminal penalties for wanton conduct by executives, but the DCA and ADDA only provide for fines. The CDPA also differs because it sets out specific provisions, whereas the DCA and ADDA leave the responsibility of creating the provisions to the Federal Trade Commission. However, the DCA allows the Federal Trade Commission to do this with minimal oversight, while the ADDA requires approval from Congress prior to being enacted as law.
All three of these bills are in their infancy stages, and only one bill will emerge and be enacted as law. We have less current information as to the DCA and the ADDA because their specific provisions will not be drafted until one of the bills are passed into law and the Federal Trade Commission drafts the applicable language. However, companies that have already become compliant with the General Data Protection Regulation and the California Consumer Privacy Act will be in an excellent position to become compliant with these new laws due to the similar goals of each such regulation – protecting consumer data and regulating companies that seek to profit from using consumer data in various ways.
As the 116th Congress has just been sworn in, our experienced attorneys at Dickie, McCamey & Chilcote, P.C. will continue to monitor the developing data privacy regulations in the United States. Our attorneys have advised clients on international and domestic data privacy compliance for years and will continue to do so as the global trend moves toward stricter data privacy regulations. If you have any questions or concerns, please contact us. We will be happy to work with you and to help equip your company for compliance in this constantly evolving area.
Jason L. Ott, Esq.
Derrick L. Maultsby, Jr.