Federal 2020 Consumer Data Privacy and Security Act OverviewMarch 14, 2020
On March 13, 2020, Senator Jerry Moran (R-Kansas), Chairman of the Senate Commerce Subcommittee on Consumer Protection, introduced the “Consumer Data Privacy and Security Act of 2020” (the “CDPSA”). The CDPSA joins several other proposed pieces of federal legislation in vying to create an overarching, federal data-privacy framework. Generally, the CDPSA is consistent with the current data-privacy legal frameworks and integrates themes from the CCPA and GDPR and also learned from some of their shortfalls (e.g., the CDPSA excludes employee data from the definition of personal data). On the spectrum of business-friendliness, the CDPSA is more favorable to small and midsize businesses rather than the CCPA and GDPR for several reasons, some of which are discussed below. Perhaps the most significant being the favorable thresholds established by the CDPSA for qualification as a “small business” and the absence of a private right of action. The CDPSA provides for similar individual rights and protections as the CCPA and GDPR but attempts to reduce the burden on small and midsize businesses by exempting “small businesses” from certain compliance obligations (e.g., small businesses are not required to comply with an individual’s rights to access, accuracy, or correction).
The following are our Top 10 highlights of the CDPSA:
1. Small Business. The definition of “Small Business” is favorable to small and midsize businesses because the qualification thresholds are higher than the CCPA: <500 employees (CCPA: N/A); <$50 Million in average gross receipts for the previous 3 years (CCPA: >$25 Million, no year requirement); processes personal data of <1 Million individuals (CCPA: N/A). Also, the 500 employee requirement, especially benefits small businesses because it does not penalize them for being successful. However, the CDPSA imposes an ongoing duty of due diligence of service providers on covered entities, which could be quite a resource-heavy endeavor.
2. No private right of Action. FTC or State Attorneys General may bring civil enforcement actions under the CDPSA to: (1) enjoin the violative practice, (2) enforce compliance with the CDPSA or regulations, or (3) impose a civil penalty (in addition to any injunctive relief) for actual-knowledge violations of the CDPSA or regulations. The civil penalty shall be the number of individuals affected by a violation multiplied by an amount not to exceed $42,530. The CDPSA establishes several factors to be considered in determining the amount of the civil penalty.
3. Express preemption of state law. The CDPSA expressly preempts state and local laws related to the privacy or security of personal data. However, the following state and local laws shall not be preempted to the extent such laws do not conflict with the CDPSA: (1) data breach notification laws, (2) criminal or civil procedure, (3) general standards of fraud or public safety, (4) laws that address the…