TPHeinz Pixabay

US Federal Privacy Update, the CDPSA

Last week, on March 13, Senator Jerry Moran, vice chairman of the Senate Privacy Committee, tabled a bill to standardize the general federal framework on consumer data and privacy. This proposal will be called the “Consumer Data Security and Privacy Act of 2020”. (the “CDPSA” acronym). The aim of this act is to standardize the laws in force, in terms of privacy and data management, by coordinating the two most important laws in the sector, the European GDPR and the Californian CCPA, and “improving”, according to Senator Moran, some aspects, with a vision more favorable to small businesses (“small business”), regarding compliance with certain obligations.

On the presentation page of the above proposal, Section 2, immediately after the table of contents, clarifies some notions and definitions, for readers’ use and consumption, specifying, for example, that

(2) COLLECTION — The term ‘’collection’’ means the acquisition of personal data by any means, including by receiving, acquiring or transferring the data or by observation or interaction with the person to whom the data relate.
Or also
(10) PSEUDONYMIZATION — The term ‘’pseudonymization’’ means the processing of personal data in such a way that personal data can no longer be attributed or reasonably linked to a specific person without the use of additional information.
(A) are kept separate; and
(B) are subject to technical and organisational measures to ensure that personal data are not attributed to a specific individual.

Basically, there are 10 highlights of the Moran Act, which we list below:

A. The treatment of so-called “small business” seems more favorable than the CCPA, as it raises the minimum threshold for small business to be included in that category:
- less than 500 employees;
- less than 50 million average gross revenues in the last three years of activity;
- data processing of less than one million people
with a constant duty of due diligence.

B. No private right of action. The FTC or the State Attorneys General may bring civil enforcement actions under the CDPSA:
- raising and elevating the violation,
- requiring proper compliance with the CDPSA, or
- imposing a civil penalty (in addition to any injunctive relief), for actual breaches of the CDPSA or the regulations, assessing the penalty to be imposed on a case-by-case basis.

C. Expressed pre-emption. The CDPSA expressly takes precedence over state and local laws relating to privacy or the security of personal data, even though they are not precluded, unless in conflict with the CDPSA:
- data breach notification laws,
- criminal or civil procedure,
- general standards of fraud or public safety,
- privacy laws for any group of students as defined in FERPA,
- employment laws, including employment data laws;
- laws protecting the right of individuals to be free from discrimination based on race, sex, national origin or other suspect classifications identified under state law.

D. Preemption of federal law. The CDPSA prevails, therefore, except in the following cases, i.e. over certain legislations expressly mentioned by the act in question, such as, for example, the COPPA, i.e. The Children’s Online Privacy Protection Act, or the HIPAA, or, to mention another, the FERPA, The Family Educational Rights and Privacy Act.

E. The FTC, Federal Trade Commission, is the authority responsible for enforcing the CDPSA.

F. Exceptions for small businesses: if they qualify as covered entities, they will be “relieved” of certain obligations, those considered too burdensome for smaller entities.

G. Consent. The CDPSA distinguishes between two types of consent:
- implicit consent, when the person has consented to the processing of personal data, has not refused it and a certain period of time has elapsed which implies that the person has accepted it
- affirmative express consent, which must be expressed clearly and unequivocally, as a reaction to an action by the provider, and not by silent consent, with regard to all those data, which do not fall within the purposes permitted by the entity covered.

H. Privacy policy: it must be clearly expressed in simple and comprehensible forms to the masses, with two additional requirements, the online availability of each version of the policy and its subsequent amendments, highlighting any changes in a clearly visible way on the site (although not specifying what is meant by “material change”).

I. Processing of personal data: the CDPSA establishes that the processing may take place either for the purposes permitted or if authorised, and the transmission to third parties may take place, subject to clear communication to the user, or by express authorisation, or within the limits of the purpose of the covered entity that passed it on.

J. Permitted Purpose: Processing outside consent is granted herein to a reasonably necessary extent and limited to a defined purpose, with wider eligibility than GDPR, i.e. for:
- provision of services or performance of a contract;
- compliance with laws;
- prevention of immediate danger to the personal safety of the individual (e.g. product recalls);
- fraud prevention and security protection;
- research performed by the covered entity or service provider; and
- operational purposes of the covered entity or service provider (billing, website maintenance, marketing and advertising).

I would like to conclude with a personal opinion: although the increase in regulatory proposals to increase and improve the privacy of users and consumers is valuable, there is a risk, conversely, of “superproduction” of content, which could cause confusion among users, on which regulation to apply and under what circumstances to apply it!

All Rights Reserved

Raffaella Aghemo, Lawyer