Federal Privacy Law Bingo: Comparing Wicker to GDPR / CCPA / CPRA
I was recently interviewed for a Diginomica article on my thoughts if the California Privacy Rights Act of 2020 (CPRA) – on the ballot as Proposition 24 – would become the standard for a national consumer privacy law. I answered Yes and told the reporter that it was a very timely conversation as I am currently researching the various Federal privacy law proposals coming out of DC. So in the next few blog posts I am going to benchmark various Senator’s privacy proposals to both the European Union’s General Data Protection Regulation (GDPR) and the existing California law (California Consumer Privacy Act aka CCPA) as well as to the CPRA.
In today’s blog, we will play “Privacy Bingo” with a national privacy legislation proposal from Senator Roger Wicker (R-Miss) 😊.
Source:
R: This Bingo Photo by Unknown Author that is licensed under CC BY-NC-ND
Executive Summary
It is hard to do an apples-to-apples comparison of privacy laws, as the scope of who it applies to and who is covered etc. can differ, but starting with this blog I am going to try with a quick back of the hand measuring system which I will call the “Privacy Rights Rating” (PRR) system. It simply uses my well-trafficked exec summary table that I published as part of my executive summary of GDPR vs. CCPA vs. CPRA (also see below). Namely, I am going to grade based on percentage of green check marks possible in the table below, by specifically looking at rows 4-5, 7 and 9-35, which will let me get a quick reading of relative depth of privacy rights that each law gives. i.e. it is a rough approximation of relative strength of the privacy law.
So, here’s how Wicker ranks
Alternatively, if you want to benchmark Wicker to GDPR (often thought of as the gold standard of privacy laws), here is my newly introduced “Parity to GDPR” (P2G) rating system based on GDPR setting the baseline of 28 green checks. Again it is a rough approximation of parity to GDPR.
To the backers of CCPA’s credit, they set the initial bar here in the US, and a Republican Senator has matched it in many ways. But Wicker would be a downgrade of what voters would get if they passed CPRA in California in November, which is at near parity with the GDPR. So I am sticking with the conclusion I put forth in my recent blog post “Why the CPRA is a Critical Lynch Pin for a Comprehensive Federal Privacy Law.” Namely, if CPRA were to be approved by the voters in November that it would (a) be a key impetus to driving adoption of a federal privacy law and (b) significantly increase the likelihood that the federal legislation would be more closely aligned to the stronger GDPR privacy model vs. being watered down.
Background
As detailed in this Congressional Research Service (CRS)report (and I am quoting the next set of bullets directly from it), there are at least 6 federal privacy law proposals floating around Washington DC:
H.R. 4978, the Online Privacy Act of 2019, introduced by Representatives Anna Eshoo and Zoe Lofgren on November 5, 2019;
The United States Consumer Data Privacy Act of 2019 (“USCDPA Draft”), a discussion draft circulated by Senator Roger Wicker (R-Mississippi) on November 27, 2019;
S. 2968, the Consumer Online Privacy Rights Act, introduced by Senators Maria Cantwell, Brian Schatz, Amy Klobuchar, and Ed Markey on December 3, 2019;
An untitled December 18, 2019, discussion draft (“E&C Draft”) from the House Energy and Commerce Committee, spearheaded by Representatives Cathy McMorris-Rodgers and Schakowsky;
S. 3300, the Data Protection Act of 2020, introduced by Senator Kirsten Gillibrand on February 13, 2020; and
S. 3456, the Consumer Data Privacy and Security Act of 2020, introduced by Senator Jerry Moran on March 12, 2020.
I am going to try to tackle the Senate bills/proposals, as they represent proposals coming from both Republicans and Democrats, and given that is likely that the Senate will be near-ish 50-50 post the November election, I figure the Senate proposals would be better indicator of where things would land compromise-wise.
First up, the Wicker draft aka the “United States Consumer Data Privacy Act of 2019” aka USCDPA, but I will just refer to “Wicker.” It is also 25 pages so also makes it easier for me to review 😊
High Points of Wicker
Wicker has many of the standard consumer privacy rights (which I will detail below) and his proposal does offer extra protection for “sensitive personal information.” Wicker would also per the CRS would “impose additional restrictions on large data holders that exceed certain revenue thresholds or process the covered information of a specified number of individuals.”
Wicker applies to a “covered entity” that means any person who operates in or affects interstate or foreign commerce, with the CPRA-style carve out of not applying to businesses less than $25 million in revenue and/or processes covered data on less than 100,000 individuals. An “individual” is someone who resides in the US, so does not apply if you were a citizen who lived abroad, but does apply to a non-citizen living in the US.
Wicker does vest the Federal Trade Commission with enforcement authority vs. creating a new bureau or supervisory authority. Wicker relies on “the oversight agency and state attorneys general to enforce the bills’ provisions.” There is no private right of action for anything. Nor does it include any form of a national breach notification, which I think is critical after I uncovered problems that even California has with their data breach notification law.
I like how Wicker adds a whistleblower protection clause, I probably need at some point to factor that into my summary spreadsheet.
It excludes employee data from its definition of “covered data.” Employee data is specific to data collected while applying and/or doing one’s job.
Wicker has the concept of service provider and third-party ala CCPA. It calls for data brokers to register with the FTC ala data brokers need to register with the States of California and Vermont per their respective state laws.
Interestingly it has a section on “digital content forgery” (e.g. deep fakes) and calls for more research in this area.
Key to us in California with passage of the CPRA, Wicker would expressly preempt state law. As you can see from the table below, Wicker offers parity with the CCPA but definitely not with CPRA and its GDPR level of privacy rights, so would be a downgrade of rights for Californians based on Prop 24 passing and not close to European privacy levels.
Nitty-Gritty Details
I have added a column to my GDPR vs. CCPA vs. CPRA summary table to reflect Wicker. I tried giving Wicker the benefit of the doubt on many of these items, so if I missed a green check mark or two, I probably made up for it in other areas.
Here it is:
Again, to the backers of the CCPA’s credit, they set the bar for a Conservative Republican from Mississippi to basically match it in many ways but fall short of the higher bar that CPRA and GDPR follows. Here’s how the bingo card looks.
Next up, Senator Maria Cantwell’s S. 2968, the Consumer Online Privacy Rights Act. Cantwell is a Democratic Senator from the State of Washington.