Democrats Push for Private Right of Action in Senate Commerce Committee Privacy Bill

Republican Senator John Thune provided an update to the media on the drafting of a federal privacy bill by members of the Senate Commerce Committee this week. According to the update, three Democratic Senators involved in the negotiations are pushing for a duty of care as well as a private right of action.

A private right of action would allow consumers to sue companies for a violation of some or all of the law. Consumers have been suing companies for privacy breaches for some time now but must overcome difficult issues of standing. In other words, they must demonstrate an injury and many judicial opinions have found that there is no injury if the information is not misused to the monetary detriment of the plaintiff.

A private right of action was included in the original California Consumer Privacy Act (CCPA) but its scope was cut back as part of AB-375 before it was passed by the California State Legislature. The version that passed included a private right of actions for consumers against companies that have a data security breach of unencrypted personal information when they have not implemented or maintained reasonable security practices. It set statutory damages for a breach at between $100 and $750 per consumer per incident. It also allowed individuals to sue for actual damages.

The California Attorney General and several members of the legislature pushed for an expanded scope to the private right of action this spring as part of a bill in the California Senate – SB561. The bill was approved by the Senate Judiciary Committee there but was held by the Senate Appropriations Committee. If approved, SB 561 would have allowed consumers to sue for a violation of any section of the CCPA.

The duty of care provision would require companies to exercise reasonable care in safeguarding personal information. A similar provision was proposed last year in a privacy bill by Senator Brian Schatz (D-HI).

Timeline Update

The chances of a new federal privacy law happening before the CCPA becomes effective on January 1, 2020 are slipping dramatically. With Memorial Day weekend approaching, another month has passed without reaching a bipartisan consensus on a privacy bill.

The latest on the draft privacy bill from the bipartisan Senate Commerce Committee efforts are that it will not be ready before the end of May. Senator Jerry Moran (R-KS) said that he had hopes that the text would be presented in June.

Even if a compromise is reached, there have been questions about whether the bill could be passed by the US House of Representatives, which has a substantial contingent of Democratic lawmakers from California including Speaker of the House Nancy Pelosi.

In addition to substantial concerns about a private right of action, many Republicans and businesses want any federal privacy bill to include a preemption clause that blocks state regulation of privacy. The hope is that such a measure would create a national standard on privacy and prevent the development of a patchwork of state regulations with significant compliance costs and risks.

More than a dozen states considered new privacy laws this year after California’s passage of the CCPA last year. Although progress was made in many states including most noticeably Washington, states appear to be still building internal consensus on the right measures to include.

We are closely following events at both the federal and state level and will continue to provide updates on the Clarip Privacy Blog as they become available.