In the latest proposal to be presented to lawmakers, Sen. Patrick Leahy (D-Vt.) put forth the Consumer Privacy Protection Act (S.1158) that was co-sponsored by Sens. Richard Blumenthal (D-Conn.), Elizabeth Warren (D-Mass.), Al Franken (D-Minn.), Ed Markey (D-Mass.), and Ron Wyden (D-Ore.).
For businesses that store sensitive personal or financial information on 10,000 customers or more, the bill would establish minimum data security requirements with civil penalties for companies that fail to comply. Covered entities would be obligated to notify consumers within 30 days of a data breach when it includes generally accepted personally identifiable information such as name, address, and Social Security number, and fields that are not as common such as geolocation, photos, videos, biometric data and fingerprints.
“Today, data security is not just about protecting our identities and our bank accounts; it is about protecting our privacy,” Sen. Leahy said in a statement. “Americans want to know not just that their bank account and credit cards are safe and secure, they want to know that their emails and their private pictures are protected as well.”
However, in a departure from the other data security bills currently pending in Congress, S. 1158 would not preempt more protective state laws. “In crafting federal law, we must be careful not to override the strong state laws that took years to accomplish with weaker federal protections,” Sen. Leahy said. “We must ensure that consumers do not lose privacy protections they currently enjoy.”
With a current patchwork of 47 different data breach notification laws on the books in states across the country, the need for a single national standard has been an important issue. But consumer groups and some lawmakers have expressed concern that other proposed laws would preempt the state versions at the cost of consumer protection.
For example, the Data Security and Breach Notification Act introduced earlier this year by Reps. Peter Welch (D-Vt.) and Marsha Blackburn (R-Tenn.) generated criticism from legislators and the Federal Trade Commission. Testifying at a hearing before the House Subcommittee on Commerce, Manufacturing, and Trade, the agency’s Director of Consumer Protection, Jessica Rich, expressed concern that the proposed law does “not provide the strong protections that are needed to combat data breaches, identity theft, and other substantial consumer harms.”
According to Sen. Leahy, his legislation’s cap on preemption makes it the most consumer-friendly and has garnered support from groups like the Center for Democracy & Technology and Consumers Union. “All lawmakers who support consumers should support this bill,” Sen. Leahy said.
To read the Consumer Privacy Protection Act, click here.
Why it matters: As federal lawmakers consider data security legislation this term and the number of data security bills mount, the likelihood that a law will actually pass remains unclear. In addition to the Consumer Privacy Protection Act and the Data Security and Breach Notification Act, Reps. Bobby Rush (D-Ill.) and Joe Barton (R-Texas) reintroduced the Data Accountability and Trust Act, Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) pushed the Data Security Act, and Sens. Bill Nelson (D-Fla.) and Mark Warner (D-Va.) both proposed their own legislation.