Federal Privacy Law Bingo: Comparing Cantwell to Wicker / GDPR / CCPA / CPRA
We are on to Round 2 of my “Federal Privacy Law Bingo” set of blog posts where I compare a Senator’s proposal for a national privacy law to the EU’s GDPR and California’s CCPA as well as the CPRA (aka V2 of CCPA that is on the ballot as Prop 24 in November here in California).
In this blog post I am going to look at Senate Bill 2968, the Consumer Online Privacy Rights Act, which was introduced by Senators Maria Cantwell, Brian Schatz, Amy Klobuchar, and Ed Markey on December 3, 2019. I will refer to it as “Cantwell.” In my last blog post I looked at the federal privacy proposal from Senator Wicker (R-Miss) so will add Wicker to the comparison mix.
Executive Summary
Using my “Privacy Rights Rating” (PRR) system that I introduced in the Wicker blog post, I found that the Cantwell proposal rated the following compared to other privacy laws out there:
In using the “Parity to GDPR” (P2G) rating system that I also devised in the Wicker blog post, I found Cantwell ranked here:
It is not surprising that a proposal coming from a Blue State Democratic Senator would be more pro-consumer than a Conservative Republican Senator, but even the Cantwell proposal does not match the CPRA in terms of parity to GDPR and overall Privacy Rights.
Going into the November election, the Senate is deadlocked on privacy legislation, with the sticking points being pre-emption (e.g. overwriting California’s CCPA or eventually CPRA) and private rights of action. But even if the Senate were to flip in November to the Democrats, there would be a narrow Democratic majority, and the final bill would probably be the average between Cantwell and Wicker — e.g. in the mid-60% compared to GDPR, so still not close to the CPRA/GDPR levels of privacy rights.
Hence, I still strongly believe that the CCPA set the initial bar for Federal policy legislation, in that even a Conservative Republican like Wicker had to meet and exceed, so to me passage of CPRA would set the bar higher than the average of Cantwell/Wicker. As I articulated in this blog post on why the CPRA is a critical lynch in in getting comprehensive Federal privacy legislation, if the CPRA fails to pass, then the message would be sent to a new Congress that if a GDPR-like can’t pass in the bellwether State of California, then it does not bode well for comprehensive GDPR-like Federal bill to get passed.
But let’s look at Cantwell in more detail.
High Points of Cantwell
As detailed in this Congressional Research Service (CRS) report, Cantwell has what other privacy bills have, i.e. they regulate “the use of personal information by: (1) recognizing individuals’ rights to control their personal information; (2) requiring a defined class of entities to take steps to respect those rights; and (3) creating procedures to enforce those requirements.”
Like Wicker, GDPR and CPRA (but not CCPA), Cantwell provides “additional protections for sensitive information, including government-issued identification numbers, financial account numbers, health records, biometric data, and geolocation data.”
In terms of scope, Cantwell covers only entities or persons subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq. — I could not find what that equates to, so will update the blog later), excluding small businesses. By small business, it is the same CPRA-style (and Wicker has too) carve out of not applying to businesses less than $25 million in revenue and/or processes covered data on less than 100,000 individuals.
Cantwell, like Wicker, “would impose additional restrictions on large data holders that exceed certain revenue thresholds or process the covered information of a specified number of individuals.”
Persons covered by Cantwell are “individuals” who reside in the US ala Wicker. Oddly, I could not find any mention of special protections for children.
In terms of enforcement, Cantwell proposes a dedicated agency inside the Federal Trade Commission, while Wicker generically says the FTC will handle enforcement.
Unlike Wicker, Cantwell “would provide a private right of action for an individual to challenge, in court, a covered entity’s collection or use of that individual’s covered information.” Furthermore, and again unlike Wicker, Cantwell “would explicitly preserve state laws and would only preempt state laws to the extent they conflict with those bills.”
Like Wicker, Cantwell has a whistleblower protection component, which I have not seen in GDPR, CCPA and CPRA. Good idea. It also has a section on the need to further research “digital content forgeries” aka “deep fakes” ala Wicker.
I love the fact that there is a reference to potentially issuing regulations regarding a “centralized, to the extent feasible” way “to minimize the number of opt-out designations of a similar type that a consumer must make.” Then it references the FTC “be informed by the Commission’s experience developing and implementing the National Do Not Call Registry.” Which is very cool, basically they appear to be hinting at what I proposed (completely unbeknownst to what Cantwell had in her proposal), namely a “Do Not Sell My Personal Information” registry. I never said what I wrote was original, but glad to see it echoed here!
Nitty-Gritty Details of Cantwell
I have added a column to my GDPR vs. CCPA vs. CPRA summary table to reflect Wicker and now Cantwell. I tried giving Wicker and Cantwell the benefits of the doubt on many of these items, so if I missed a green check mark or two, I probably made up for it in other areas.
Cantwell could bridge the gap with CPRA by providing protection for children (bizarre they don’t). I am not sure why neither Wicker or Cantwell can’t put a data breach notification requirement in as well. Instead they default to fragmented state laws here. To clarify a bit more, I did not give Cantwell or Wicker credit for a breach notification law, but gave California credit as they have the strictest State law, so CCPA/CPRA benefits from that, while federal privacy law would potentially have to rely on some of the weaker breach State laws that for example have limited reporting requirements and have narrow definitions of personal data. Cantwell could also get closer to CPRA/GDPR by adding right to restrict processing and right to reject automated decision making. And neither Wicker or Cantwell have the requirement for the home page links for Do Not Sell/Share or Limit Use of Sensitive Information.
Let’s fill out the bingo card!
Next up, Senate Bill 3456, the Consumer Data Privacy and Security Act of 2020, introduced by Senator Jerry Moran (R-Kansas) on March 12, 2020.
[Disclosure: I have donated to Senator Markey’s re-election campaign.]