Member Blog: Florida Senator Marco Rubio Introduces Federal Data Privacy Legislation
Mac Murray and Shuster partner reports on requirements in bill seen as a response to similar legislation in California that takes effect next year.
1/30/2019 8:00 AM
By Nick Whisler
Partner, Mac Murray and Shuster LLP
U.S. Sen. Marco Rubio, R-Fla., recently introduced the American Data Dissemination Act (“ADD”), which targets businesses that collect personal data through the internet. Considering the lack of federal regulation in this area, a federal bill has been anticipated for some time. The ADD is largely seen as a response to California’s Consumer Privacy Act (“CCPA”), a GDPR-style (General Data Protection Regulation) law that places strict regulations on a company’s collection and sharing of consumer data.
What Does the Bill Require?
The ADD is largely devoid of specific data privacy regulations. Instead, it requires the Federal Trade Commission to submit detailed recommendations to Congress within 180 days after the bill is passed. If Congress fails to enact the FTC’s recommendations within two years, the ADD gives the FTC authority to issue a final rulemaking. Realistically, this means that within two and a half years of this bill becoming law, there would be a federal privacy law in the United States.
The FTC, however, has been given instructions that limit the content and scope of its recommendation. The ADD requires that the FTC’s recommendation be “substantially similar, to the extent practicable” to the requirements of the 1974 Privacy Act. Many have criticized this restriction, calling the 1974 Privacy Act too old and antiquated to address the data privacy concerns of the modern consumer.
The ADD includes many more limiting instructions. For example, the following provisions must be included in the FTC’s final recommendation to Congress:
- Criteria for exempting certain small, newly formed businesses;
- Criteria for restricting the disclosure of records maintained by covered businesses;
- Criteria for granting individuals access in response to their requests of records and, if a covered businesses elects, the record may be deleted subject to certain requirements;
- Criteria for consumers to update incomplete and inaccurate records;
- establishing a dispute resolution process modeled after section 611(a) of the Fair Credit Reporting Act (FCRA);
- Establishing accepted standards for a code of practices to ensure the secure collection, maintenance, and dissemination of records for covered businesses; and,
- Establishing a process for accounting records of disclosures for a reasonable period.
If the bill passes, the FTC will have significant discretion in determining the stringency of privacy regulations adopted. Proponents of strict regulation are advocating for a GDPR-style regulation. This, however, seems unlikely considering the ADD’s limited scope and exemptions for small businesses and startups.
Effect on State Law
The ADD specifically states that the regulations promulgated under the Act shall supersede any provision of state law regulating businesses that are subject to the Act. States could continue to regulate businesses not covered by the ADD.
Proponents of the ADD welcome this preemption provision, arguing that it may curb the broad reach of CCPA and/or prevent companies from dealing with a “patchwork” of state laws and regulations. Consumer privacy advocates and many states are likely to oppose the bill on grounds that it doesn’t go far enough and unnecessarily preempts state laws.
Mac Murray & Shuster will keep you updated on this bill and other privacy developments.
Ali Najaf contributed to this post.
Editor’s note: This content is published with permission from Mac Murray and Shuster LLP. This article is provided for informational purposes and is not intended nor should it be taken as legal advice. The views and opinions expressed in this article are those of the author in [his][her] individual capacity and do not reflect the official policy or position of their partners, entities, or clients they represent.
If you are interested in sharing articles and analysis on legal cases for possible publication with ACA International, email our Communications Department at email@example.com.
Follow ACA International on Twitter @ACAIntl and @acacollector, Facebook and request to join our LinkedIn group for news and event updates. ACA International members are welcome to submit news items for possible publication to firstname.lastname@example.org. Visit our publications page for news submission guidelines and subscriptions to ACA Daily, Collector magazine and Pulse. Advertising is available for companies wishing to promote their products or services. Be sure to visit the ACA Events Calendar on the Education and Training website to view our listing of upcoming CORE Curriculum and Hot Topic seminars featuring critical educational opportunities for your company.