We are on Round 4 of my “Federal Privacy Law Bingo” set of blog posts where I compare a Senator’s proposal for a national privacy law to the EU’s GDPR and California’s CCPA as well as the CPRA (aka V2 of CCPA that is on the ballot as Prop 24 in November here in California). In prior blogs I have looked at the federal privacy proposal from Senator Wicker (R-Miss), Senator Cantwell (D-Wash) and from Senator Moran (R-Kansas).
In this blog post I am going to look at Senate Bill 3300, the Data Protection Act of 2020 (DPA) introduced by Senator Kirsten Gillibrand (D-NY) on February 13, 2020. I will refer to the bill as “Gillibrand” in this blog post.
Sorry, there is no bingo game with Gillibrand.
As detailed in this Congressional Research Service (CRS) report, Gillibrand “would create a new agency vested with the power to enforce existing federal privacy laws and authorize that agency to issue broadly applicable privacy regulations.” Specifically, compared to the other Federal privacy proposals, Gillibrand “would take a markedly different approach: it would not impose any new privacy obligations on covered entities. Instead, the bill would centralize all privacy oversight and enforcement responsibilities for existing, sector-specific laws—such as Title V of the Gramm-Leach Bliley Act (and the Children’s Online Privacy Protection Act of 1998 —in a new Data Protection Agency.” In addition, Gillibrand “would also authorize the agency to issue regulations to prevent “unfair or deceptive act[s] or practice[s] . . . in connection with the collection, disclosure, processing, and misuse of personal data.””
In other words, as the IAPP stated: “Unlike the proposed legislation from her colleagues in the Senate, Gillibrand’s draft bill focuses on establishing the Data Protection Agency (DPA) as an independent enforcement entity with rulemaking authority, not on the creation of specific privacy rights and obligations. … The proposed legislation would transfer the authority of the U.S. Federal Trade Commission to prescribe rules, issue guidelines, or conduct a study or issue a report under existing federal privacy laws to the DPA.”
As Gillibrand wrote in a blog post when she issued her proposal, the Data Protection Agency “would serve as a “referee” to define, arbitrate, and enforce rules to defend the protection of our personal data.” Forbes further noted that “a key component of the law would allow people to file complaints with the DPA when they believe a company has violated data privacy laws that would then potentially trigger investigations that could result in civil penalties, fines or injunctive relief. Right now, those complaints need to be filed with the Federal Trade Commission, but some consumer rights advocates and government officials have expressed frustration with the agency’s ability to enforce existing laws.”
Protocol further elaborates that “the agency would enforce current privacy laws and any future laws Congress passes and have rule-making authority to determine how those laws are carried out. Specifically, the agency would be able to conduct impact assessments on companies deploying “high-risk practices” with regard to data. That includes companies using data to profile people on a large scale. The bill also gives the agency the power to regulate consumer scoring in sensitive areas like housing, employment and education.”
I think it is a great idea to have a dedicated and funded agency to focus on privacy protection of consumers. That is what the CPRA proposes for California in the form of the California Privacy Protection Agency (CalPPA), something that the EU with the GDPR has for each member country. Senator Cantwell’s proposal has a focused enforcement arm, but part of the FTC. Senator Wicker and Moran just have the FTC handling enforcement and no mention of dedicated agency, but I like Moran’s proposal to have over 400 staff members focused on this area.
I think given how radically a government agency can change when a new Administration comes into power (e.g. Consumer Financial Protection Board), I am loathe to not have the actual privacy rights articulated in a law, and we could find having our federal privacy rights ping pong back and forth based on if a Democrat or Republican is in office.
So, I can’t benchmark Gillibrand against any other privacy bill(s) in terms of detail privacy rights. But will try to look at one more in the next blog post.