Federal Consumer Data Security Bill in a Nutshell
United States Senator Jerry Moran (R. Kan.), Chairman of Commerce Subcommittee on Consumer Protection, has introduced legislation, Senate Bill 3456, to establish a national standard for protecting consumer data and personal information. The draft bill is here. A summary of the bill prepared by the Office of Senator Moran is here.
Titled, the Consumer Data Privacy and Security Act, (CDPSA), would establish requirements for the collection, use and retention of consumer’s personal data. The CDPSA proposes definitions for terms such as covered entity, processing, service provider, small business and third party. It also includes a consumer’s “right to know” provision requiring covered entities to provide clear information concerning:
- the categories of data collected and the purposes for collection, processing and sharing with third parties;
- retention periods;
- criteria for deletion and de-identification;
- notification of material changes to privacy policies and practices by the covered entity;
- how the consumer can avoid or minimize collection and processing of personal data; and
- contact information of the appropriate representative for the covered entity who will address inquiries about its privacy policies and practices.
Section 5 of the CDPSA would grant consumers “Individual Control” over their data. Covered entities also would be required to implement “privacy controls” that provide an “easy to use means to exercise the individual’s rights established under [Section 5] with respect to [personal] data.”
The CDPSA also would establish general security program requirements, stating: “[e]ach covered entity and service provider shall develop, document, implement, and maintain a comprehensive data security program that contains reasonable administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of personal data from unauthorized access, use, destruction, acquisition, modification, or disclosure.” The appropriateness of such safeguards are determined by:
- the size, complexity, and resources of the covered entity or service provider;
- the nature and scope of the activities of the covered entity or service provider;
- the technical feasibility and cost of available tools, external audits or assessments, and other measures used by the covered entity or service provider to improve security and reduce vulnerabilities;
- the sensitivity of the personal data involved; and
- the potential for unauthorized access, use, destruction, acquisition, modification, or disclosure of the personal data involved to result in economic loss, identity theft, fraud, or physical injury to the individuals to whom such data relates.
The legislation clearly is influenced by the California Consumer Protection Act (CCPA). Although its progress is uncertain in the current political and COVID-19 environments, CDPSA may serve as a bellwether of an eventual federal standard for data privacy. It is another suggestion that the privacy requirements under CCPA are here to stay, and that companies should continue to design and implement programs to comply with those requirements.
If you have questions or would like further information, please contact Linda Perkins (firstname.lastname@example.org; 215.864.6866).
As we continue to monitor the novel coronavirus (COVID-19), White and Williams lawyers are working collaboratively to stay current on developments and counsel clients through the various legal and business issues that may arise across a variety of sectors. Read all of the updates here.