Legal Sidebari
Watching the Watchers: A Comparison of
Privacy Bills in the 116th Congress
April 3, 2020
As a growing number of states enact or consider consumer privacy protection measures, many in
Congress are pushing for a comprehensive federal consumer privacy framework. In 2019, both the Senate
Committee on Commerce, Science, and Transportation and the House Energy and Commerce
Committee’s Subcommittee on Consumer Protection and Commerce held hearings on protecting
consumer privacy. And in the last few months, Members of Congress have introduced four consumer
privacy bills and circulated discussion drafts of two additional proposals:
H.R. 4978, the Online Privacy Act of 2019, introduced by Representatives Anna Eshoo
and Zoe Lofgren on November 5, 2019;
The United States Consumer Data Privacy Act of 2019 (“USCDPA Draft”), a discussion
draft circulated by Senator Roger Wicker on November 27, 2019;
S. 2968, the Consumer Online Privacy Rights Act, introduced by Senators Maria
Cantwell, Brian Schatz, Amy Klobuchar, and Ed Markey on December 3, 2019;
An untitled December 18, 2019, discussion draft (“E&C Draft”) from the House Energy
and Commerce Committee, spearheaded by Representatives Cathy McMorris-Rodgers
and Jan Schakowsky;
S. 3300, the Data Protection Act of 2020, introduced by Senator Kirsten Gillibrand on
February 13, 2020; and
S. 3456, the Consumer Data Privacy and Security Act of 2020, introduced by Senator
Jerry Moran on March 12, 2020.
Five of the six proposals—H.R. 4978, S. 2968, S. 3456, and the two discussion drafts—take similar
approaches. Although details vary somewhat from bill to bill, each regulates the use of personal
information by: (1) recognizing individuals’ rights to control their personal information; (2) requiring a
defined class of entities to take steps to respect those rights; and (3) creating procedures to enforce those
requirements. The five proposals differ, however, in three key respects: (1) which federal agency would
have enforcement power; (2) whether to preempt state privacy laws; and (3) whether to provide a private
right of action. The sixth bill, S. 3300, takes a different approach: it would create a new agency vested
Congressional Research Service
https://crsreports.congress.gov
LSB10441
CRS Legal Sidebar
Prepared for Members and
Committees of Congress
Congressional Research Service
2
with the power to enforce existing federal privacy laws and authorize that agency to issue broadly
applicable privacy regulations.
This Sidebar highlights the main components of and key differences between these proposals before
identifying several issues for the 116th Congress.
Main Components
The six proposals share a number of components. Each bill defines the type of information it would
protect (covered or personal information or data) in similar terms, with most including information that is
linked or reasonably linkable to an individual. Many of the proposals (the USCDPA Draft, S. 2968, the
E&C Draft, and S. 3456) would provide additional protections for sensitive information, including
government-issued identification numbers, financial account numbers, health records, biometric data, and
geolocation data.
Likewise, each bill specifies the type of entities it would cover, though the breadth of this coverage varies.
S. 2986 would cover only entities or persons subject to the Federal Trade Commission Act, excluding
small businesses. Conversely, S. 3300 would apply to any “person” (which, under existing law, would
include corporations and other businesses) “that collects, processes, or otherwise obtains personal data
with the exception of an individual processing personal data in the course of personal or household
activity.” Some bills (H.R. 4978, S. 2968, S. 3456) would exempt certain types of entities, in whole or in
part, such as small businesses and entities engaged in journalism. In addition, some bills (the USCDPA
Draft, S. 2968, S. 3300) would impose additional restrictions on large data holders that exceed certain
revenue thresholds or process the covered information of a specified number of individuals.
The six proposals also specify which agency would be responsible for enforcing the new laws, offering
two main approaches. Most bills would either vest the Federal Trade Commission with enforcement
authority (the USCDPA Draft, S. 3456) or create a new bureau within that agency (S. 2968, E&C Draft).
Two bills, however—H.R. 4978 and S. 3300—would create new agencies to oversee privacy
requirements.
Individual Rights and Covered Entities’ Duties
Five of the proposals—H.R. 4978, S. 2968, S. 3456, and the two discussion drafts—take a similar
substantive approach, creating protections for covered information that are enumerated as individual
rights and covered entity duties. Although each bill uses different terminology—certain protections
appear as rights in some bills and duties in others—and would recognize a slightly different set of rights
and duties, some protections are common to all five proposals. Table 1 identifies selected protections
under each of these five proposals.
First, each of these five proposals (H.R. 4978, S. 2968, S. 3456, and the two discussion drafts) would
recognize a core set of individual rights with respect to covered information held by covered entities. The
right of access would give individuals the right to view their covered data held by covered entities, a list
of third parties to which that data had been transferred, and the purposes of any such transfers. The right
of deletion would allow an individual to request that covered entities delete (or, under some bills, de-
identify) any of that individual’s covered information, with some exceptions. The right of correction
would give individuals the ability to correct—or require a covered entity to correct—inaccurate
information. The right of portability would require covered entities to provide individuals, on request,
with copies of their data free from any restrictions on use. And the right of information (also called the
right of transparency or the right to know) would require a covered entity to provide individuals with
copies of the entity’s privacy policy, as well as any updates to the privacy policy.
Congressional Research Service
3
Second, each proposal would create notice and consent requirements for how covered entities would use
covered information. Under these requirements, a covered entity would have to notify an individual when
it intends to collect or transfer information. The entity would then have to ask the individual for
affirmative consent (opt in) or give the individual a chance to opt out of the collection or transfer.
Finally, each of these five proposals would require covered entities to limit how they collect and use
covered information and to take certain steps to safeguard that information. The duty of minimization
would limit a covered entity’s collection, processing, and transfer of covered information to no more than
it reasonably needs to provide the product or service that an individual requested. Complementing that
duty, covered entities would be required to safeguard covered information in their possession by
implementing physical security and cybersecurity policies.
Table 1. Selected Protections in Pending Privacy Legislation
USCDPA
H.R. 4978
Draft
S. 2968
E&C Draft
S. 3456
Right of Access
§ 101
§ 103(a)(1)(A)
§ 102(a)
§ 5(a)(2)
§ 5(b)
Right of Correction
§ 102
§ 103(a)(1)(B)
§ 104
§ 5(a)(3)
§ 5(c)
Right of Deletion
§ 103
§ 103(a)(1)(C)
§ 103
§ 5(a)(5)
§ 5(d)
Right of Portability
§ 104
§ 103(a)(1)(D)
§ 105(a)
—
§ 5(b)(2)(B)
Right of Information
§ 107
§ 102
§ 102(b)
§ 3(a)(1)
§ 4
Notice Requirements
§§ 212(a),
§ 102
§ 102(b)
§ 3(a)(1)
§ 3(b)(2)
213
Opt-Out Consent
§ 212(b)(2)
§ 104(d)
§ 105(b)
§ 6(c)
§ 3(b)(1)(A)
Opt-In Consent
§ 212(b)(1)
§ 104(a)
§ 105(c)
§ 6(d)
§ 3(b)(1)(B)
Minimization
§ 201
§ 105
§ 106
§ 7(a)(1)
§ 3(d)
Data Security
§ 214
§ 204
§ 107
§ 9
§ 6
Source: CRS, using information from H.R. 4978, the USCDPA Draft, S. 2968, the E&C Draft, and S. 3456.
An Alternative Approach: S. 3300
Compared to the other five proposals, S. 3300 would take a markedly different approach: it would not
impose any new privacy obligations on covered entities. Instead, the bill would centralize all privacy
oversight and enforcement responsibilities for existing, sector-specific laws—such as Title V of the
Gramm-Leach Bliley Act (Pub. L. No. 106-102) and the Children’s Online Privacy Protection Act of
1998 (Pub. L. No. 105-277)—in a new Data Protection Agency. S. 3300 would also authorize the agency
to issue regulations to prevent “unfair or deceptive act[s] or practice[s] . . . in connection with the
collection, disclosure, processing, and misuse of personal data.”
Key Differences
Although the bills are similar in many respects, they contain two major areas of divergence that may
make it difficult for Congress to reach consensus: whether to include a private right of action and whether
to preempt state law.
Two of the bills—H.R. 4978 and S. 2968—would provide a private right of action for an individual to
challenge, in court, a covered entity’s collection or use of that individual’s covered information. (For a
discussion of the constitutionality of private rights of action in this space, see CRS Legal Sidebar
Congressional Research Service
4
LSB10303, Enforcing Federal Privacy Law—Constitutional Limitations on Private Rights of Action,
coordinated by Chris D. Linebaugh.) Both bills would also allow an individual to seek damages for harm
caused by the covered entity’s use of the individual’s information. In contrast, three bills—the USCDPA
Draft, S. 3300, and S. 3456—would not create a new private right of action, instead relying on the
oversight agency and state attorneys general to enforce the bills’ provisions. The E&C Draft includes a
placeholder heading for private rights of action without any specific requirements.
Similarly, the proposals are split on whether to preempt state privacy laws expressly, such as the
California Consumer Privacy Act (CCPA). (For more information on preemption, see CRS Report
R45825, Federal Preemption: A Legal Primer, by Jay B. Sykes and Nicole Vanatko; for a discussion on
the CCPA, see CRS Legal Sidebar LSB10213, California Dreamin’ of Privacy Regulation: The California
Consumer Privacy Act and Congress, coordinated by Eric N. Holmes.) Two of the bills—the USCDPA
Draft and S. 3456—would expressly preempt state law, though S. 3456 contains a number of exceptions
for state laws that relate to other federal sector-specific privacy laws, such as the Gramm-Leach Bliley
Act and the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191). Two of
the bills—S. 2968 and S. 3300—would explicitly preserve state laws and would only preempt state laws
to the extent they conflict with those bills. Finally, neither H.R. 4978 nor the E&C Draft states whether
they would preempt or preserve state laws. (The E&C Draft again has a placeholder heading.)
Table 2 summarizes these differences.
Table 2. Major Differences in Pending Privacy Legislation
USCDPA
H.R. 4978
Draft
S. 2968
E&C Draft
S. 3300
S. 3456
Private Right of Action
Yes (§ 407)
No
Yes
Not specified
No
No
(§ 301(c))
State Law Preemption
Not specified
Yes (§ 404)
Only direct
Not specified
Only direct
Yes, with
conflicts
conflicts
exceptions
(§ 302(c))
(§ 10(a))
(§ 10(a))
Source: CRS, using information from H.R. 4978, the USCDPA Draft, S. 2968, the E&C Draft, S. 3300, and S. 3456.
Issues for the 116th Congress
Although the proposals are similar in many respects, they differ in key ways, including whether the new
federal laws would preempt state law and whether individuals would have a private right of action to
enforce the law. As several news outlets have discussed, these “key sticking point[s]” make it “unclear if
there is any path forward for privacy legislation.”
A dispute over whether to include a private right of action has prevented the passage of Washington
State’s privacy bill, and disagreement on this point could lead to a similar result in Congress. The
preemption issue relates to a more time-sensitive concern: whether Congress seeks to guide the national
debate on privacy laws, rather than respond to it. California is working to implement the CCPA, and more
than a dozen states continue to develop their own privacy legislation. Until Congress provides direction
through a federal bill—whether or not it preempts state law—it seems likely that states will develop a
patchwork of laws that may be inconsistent and difficult for businesses to navigate.
Some Members have indicated that there is room for continued negotiation, though others seem
less hopeful. Ultimately, unless Congress comes to an agreement on these two core issues, it may
be unlikely that any of these proposals will gain traction.
Congressional Research Service
5
Author Information
Jonathan M. Gaffney
Legislative Attorney
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff
to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of
Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of
information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role.
CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United
States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However,
as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the
permission of the copyright holder if you wish to copy or otherwise use copyrighted material.
LSB10441 · VERSION 1 · NEW