We are on to Round 3 of my “Federal Privacy Law Bingo” set of blog posts where I compare a Senator’s proposal for a national privacy law to the EU’s GDPR and California’s CCPA as well as the CPRA (aka V2 of CCPA that is on the ballot as Prop 24 in November here in California). In prior blogs I have looked at the federal privacy proposal from Senator Wicker (R-Miss) and Senator Cantwell (D-Wash).
In this blog post I am going to look at Senate Bill 3456, the Consumer Data Privacy and Security Act of 2020, introduced by Senator Jerry Moran (R-Kansas) on March 12, 2020. I will refer to the bill as “Moran” in this blog post. Note that Moran and Wicker introduced the COVID-19 Consumer Data Protection Act of 2020 on May 7, 2020 (Senate Bill 3663) that appears for the most part to be a repackaging of the Moran bill that I will be analyzing in this blog.
Using my “Privacy Rights Rating” (PRR) system that I introduced in the Wicker blog post, I found that the Moran proposal rated the following compared to other privacy laws out there:
In using the “Parity to GDPR” (P2G) rating system that I also devised in the Wicker blog post, I found Moran ranked here:
Moran rates at the same level as CCPA, but note the bar is higher in terms of entities covered, namely Moran excludes businesses under $50 million while CCPA excludes businesses under $25 million.
High Points of Moran
As detailed in this Congressional Research Service (CRS) report, Moran has what other privacy bills have, i.e. they regulate “the use of personal information by: (1) recognizing individuals’ rights to control their personal information; (2) requiring a defined class of entities to take steps to respect those rights; and (3) creating procedures to enforce those requirements.”
Like Cantwell, Wicker, GDPR and CPRA (but not CCPA), Moran provides “additional protections for sensitive information, including government-issued identification numbers, financial account numbers, health records, biometric data, and geolocation data.”
In terms of scope, Moran covers businesses and non-profits, but excludes small businesses. By small business, the Moran carve out is much more generous, raising the bar to $50 million. Others such as CPRA, Wicker and Cantwell are at $25 million.
Interestingly, there are no special protections for children/minors in the bill.
Like Cantwell and Wicker, Moran “would impose additional restrictions on large data holders that exceed certain revenue thresholds or process the covered information of a specified number of individuals.” Specifically, it adds requirements for entities that “collect and process data on more than 20 million individuals or sensitive information from more than 1 million individuals will have to appoint a privacy officer and conduct privacy impact assessments.”
Persons covered by Moran are “individuals” who reside in the US ala Wicker.
In terms of enforcement, Moran like Wicker generically says the FTC will handle enforcement, vs. Cantwell and CPRA having dedicated enforcement agencies. Tantalizing, Moran calls for “the Federal Trade Commission to appoint at least 440 additional workers to oversee privacy and security.”
Like Wicker, Moran does NOT “provide a private right of action for an individual to challenge, in court, a covered entity’s collection or use of that individual’s covered information.” And like Wicker, Moran would preempt state laws in privacy, although Moran “contains a number of exceptions for state laws that relate to other federal sector-specific privacy laws, such as the Gramm-Leach Bliley Act and the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191).”
Moran has no whistleblower provision ala Wicker and Cantwell.
I have added a column to my GDPR vs. CCPA vs. CPRA summary table to reflect Moran. I tried giving Moran the benefit of the doubt on many of these items, so if I missed a green check mark or two, I probably made up for it in other areas.
Here it is:
Again, to the backers of the CCPA’s credit, they set the bar for a Conservative Republican from Kansas to basically match it in many ways but fall short of the higher bar that CPRA and GDPR follows. Here’s how the bingo card looks.
Next up, Senate Bill 3300, the Data Protection Act of 2020, introduced by Senator Kirsten Gillibrand (D-NY) on February 13, 2020.