NTSC Blog

Experts Dissect Three Proposed Federal Data Privacy Bills at NTSC Virtual Roundtable

Experts Dissect Three Proposed Federal Data Privacy Bills at NTSC Virtual Roundtable

What’s the likelihood of a federal data privacy bill passing in the COVID-19 age? The answer is unclear, but it’s not for a lack of trying. Congress has recently introduced multiple federal data privacy bills—some from the GOP, some from Democrats, and some bipartisan—each with varying elements and components that would affect businesses in different ways. Whatever the outcome, it’s clear that we do need a federal data privacy law. Otherwise, we risk taking the same route as data breach notification legislation as states pass up to 50 different data privacy bills that will not be feasible for companies to manage.

During our first virtual CISO roundtable on June 4, our distinguished panel provided an overview of three bills.

The following post summarizes some of the key points made during our discussion with Jordan Crenshaw (Executive Director and Policy Counsel, U.S. Chamber of Commerce’s Technology Engagement Center), Michelle Roback Kraynak (AVP, Counsel at Voya Financial), Robert Ball (Chief Privacy Officer at Ionic Security), and moderator Jodi Daniels (Founder and CEO of Red Clover Advisors).

COVID-19 Consumer Data Protection Act

This bill will “protect the privacy of consumers’ personal health information, proximity data, device data, and geolocation data during the coronavirus public health crisis.” It requires affirmative consent for the collection, processing, and sharing of COVID-19 health emergency data and contains purpose limitations, reporting requirements, and a requirement for reasonable security policies and practices.

One concern from companies is the bill’s concept of workplaces. Currently as written, this bill contains a workplace screening exception. The COVID bill excludes “employee screening data” and depends on the type of employee (“an employee, owner, director, officer, staff member, trainee, vendor, visitor, intern, volunteer, or contractor of the covered entity”) and their activity (“whether the individual is permitted to enter a physical site of operation of the covered entity”). Some concern exists with that language. For example, let’s say you’re an employee going out to fix internet cable somewhere or you are a real estate agent only meeting your clients at a home. Both employees would not be entering the physical headquarters of a company. Would that data be included in the exemption?

Also, the bill preempts state laws related to COVID-19 data (although full preemption is not clear from the bill’s language) and there is no private right of action (a contentious point that often becomes an obstacle when passing data privacy bills).

Consumer Online Privacy Rights Act (COPRA)

This bill will “provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.” It’s a comprehensive privacy law with some direction about data security, likely influenced by the California Consumer Privacy Act (CCPA) and the New York State Department of Financial Services (NYDFS) Cybersecurity Regulation. The first striking element about this bill is that it presents a sort of Miranda rights for privacy, with the goal of simplifying and clarifying what constitutes a violation. Those rights include the:

  • Right to access and transparency
  • Right to delete
  • Right to correct inaccuracies
  • Right to controls
  • Right to data minimization
  • Right to data security

This idea sounds great until we think about the complexity of data, what constitutes data, and the numerous industries that deal with data. A federal data privacy bill can actually backfire if made too simple and not effectively account for the complexity of data.

In addition to Miranda Rights, the bill also:

  • Contains a section about duty of loyalty that warns against deceptive and harmful data practices.
  • Only applies to companies with over $25 million in revenue and that “annually process the covered data of an average of 100,000 or more individuals, households, or devices used by individuals or households; and derive 50 percent or more of its annual revenue from transferring individuals’ covered data.”
  • Does not completely preempt all state laws. If the state law is stricter, then this law will not preempt it.
  • Charges the FTC with creating a new bureau, with independent litigation authority, that will solely focus on enforcing this particular law.
  • Includes a private right of action. Individuals can go to federal or state court, with penalties of “an amount not less than $100 and not greater than $1,000 per violation per day or actual damages, whichever is greater.” The award also includes reasonable attorney’s fees and any other relief, but it also awards the plaintiff the right to punitive damages, which is a big deal for a federal data privacy bill.
  • Requires accountability. The company must have at least one privacy officer and one data security officer. Then, the CEO, each privacy officer, and each data security officer will annually certify their compliance with this law to the FTC.
  • Addresses artificial intelligence in depth and goes heavily into algorithm decision making—requiring assessments, avoiding unfair biases, and preventing the unethical use of data.
  • Specifically and comprehensively references, clearly defines, and exempts employee data such as emergency contact information, information collected by a covered entity or covered entity’s service providers about the individual, a relative of the individual, etc. This is interesting considering that employee data will be included with CCPA.

Consumer Data Privacy and Security Act (CDPSA)

If compared to GDPR or the CCPA, CDPSA is a more comprehensive data privacy bill focusing on aspects such as consent, a right to erasure, and a right to correction. While a privacy bill, CDPSA also contains data security elements requiring appropriate technical, administrative, and other safeguards. Highlights of the bill include:

  • No private right of action. State attorneys general have the right “to bring civil action on behalf of the residents of their state, as parens patriae, for violations of this act or regulations promulgated by this act.” However, they must see first if the FTC wants to take action. If not, then the state attorney general can take the case.
  • Preemption of state law unless it relates to data breach notification.
  • A carving out of information about employees and employee data, actually excluding it from the definition of sensitive personal data. There is a section that goes into significant detail about what employee data means.
  • Preemption of many federal laws except for the typical exemptions such as the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Health Information Technology for Economic and Clinical Health Act (HITECH), etc.
  • Two regimes—a definition of “personal data” and then a definition of “sensitive personal data.” Competing definitions are problematic, forcing attorneys and privacy professionals to go to the lowest common denominator for the broadest definition.
  • The FTC as primary enforcer. It’s important to note that the FTC doesn’t provide much advice to CISOs and constituents about how to prevent and avoid violating the law.
  • A small business exemption. If you’re under 500 employees, under $50 million in revenue, and handle less than a million personal data elements on individuals or less than 100,000 sensitive datas, then you’re exempt. This is an interesting exemption as the logic isn’t clear why small companies that handle extremely sensitive data would be exempt simply because they lack resources or they’re too small.
  • Penalty provisions up to $42,530 per violation. This number stems from the FTC Act which is the maximum they can apply as a civil penalty. However, that means one violation is $42,530 but a million violations would be $42.53 billion.

Overall, this bill moves us toward a comprehensive privacy, consent, and use minimization regime that, along with components such as data breach notification legislation, is part of a comprehensive policy that we need to put into effect.

---

The panelists were asked this concluding question: “When looking at these bills and considering the probability of their passage, what might a company consider for its security and data breach processes that it’s not already doing?” They offered some observations about how data security is addressed in these bills and then provided some useful takeaways for CISOs and companies.

The CDPSA “requires each covered entity and service provider to develop, document, implement, and maintain a comprehensive data security program that contains reasonable administrative, technical, and physical safeguards designed to protect personal data from unauthorized access and related harmful disclosures.” A critical element of privacy is controlling access to data. The negative implication means, “If I shouldn’t have access to certain of your data, or if I shouldn’t be able to use certain of your data without consent, then I need something in place to protect that from happening.”

Historically, privacy has been implemented through people and processes, often amounting to a promise to follow a privacy policy without any security controls to support that policy. As a result, having security controls in a data privacy bill is very important. The CDPSA maintains flexibility to adjust these safeguards to changes in technology and business arrangements. It’s important to note that any time the word “reasonable” appears in a bill, lawmakers are basically leaving the definition of “reasonable” to the enforcement agency (in this case, the FTC) or litigation. This definition can change over time. What is reasonable today may not be reasonable tomorrow because some technical advance or other aspect changes the risk profile.

In COPRA, a consumer has a right to data security. But where CCPA includes a vague reference related to “reasonableness,” in COPRA “a covered entity shall establish, implement, and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of covered data. Such data security practices shall be appropriate to the volume and nature of the covered data at issue.” Then, specific requirements include areas such as penetration testing, vulnerabilities, and the retention and disposal of data. This bill is very specific, more specific than the general reasonable security measures in place with CCPA.

So, irrespective if any one of these bills passes any time soon, enough legislation with broad definitions already exists at the state level. Any company needs to comply now. Enough laws exist that could potentially apply to companies, especially for regulated industries (such as financial services or healthcare). Like with GDPR, companies should not sit and wait. From a business perspective, it’s good business to make privacy part of your business processes and overall governance, risk management and compliance program if you’re handling any measure of customers’ personal data (or handling it as a third party). To wait on any of these bills is perilous, especially when considering existing laws.

Also, sitting back and waiting like companies did with GDPR or the CCPA creates a bigger reputational risk. Often, companies are focused on financial consequences, which can certainly add up to a sizable amount of money. But privacy and security also relate to trust. Companies have worked hard to build relationships with customers, create products and services, and build a strong brand. If companies don’t maintain trust through privacy and security, then the risk to their reputation is significant.

Panelists urged companies to act now and take practical steps. Minimize your usage of data when practicable and try to both aggregate and deidentify data. While we’ve seen a reprieve of states trying to pass privacy laws this year, we’re going to start to see them come back next year. Data minimization is so important, and it’s so inexpensive these days to store data. So many parts of organizations want to collect as much data as possible and store it forever. While implementing data privacy best practices is challenging, it’s important to collect only what is necessary for business purposes and, at a minimum, deidentify data as much as possible.


The National Technology Security Coalition (NTSC) provides a platform for CISOs to advocate for beneficial legislative and regulatory cybersecurity policies. Interested in adding your voice to the national cybersecurity dialogue as a CISO, underwriter, or contributing expert? Check out our events calendar for upcoming roundtables, learn more about the NTSC, and contact us about ways you can contribute.