Consumer Privacy Protections without State Preemption Adds Layer of Compliance Costs

Last week Senators Kerry and McCain introduced the “Commercial Privacy Bill of Rights”.  The purpose of the bill is to impose stricter guidelines for the collection, storage and transmission of consumer data.  If enacted into law the bill would require the following:

1. Companies that collect consumer data would have requirements for ensuring that the information is protected and secure.


2. Companies would have to provide more robust notice requirements prior to sharing consumer information with third parties.  For example, the law would require opt-in or opt-out requirements depending on the type of information and with whom it is being shared.


3. Companies would have to ensure that consumer information is accurate and consumer would be provided with a mechanism by which to verify the accuracy, including options for correcting erroneous information.


4. The bill grants authority to the Federal Trade Commission and State Attorneys General to enforce the law and impose fines.


5. The law also includes a safe harbor provision to mitigate fines, but the compliance requirements likely will be stricter than the bill’s stated compliance obligations.

Although the Commercial Privacy Bill of Rights preempts state privacy laws that cover the collection, storage and use of consumer information, unfortunately the bill does not preempt state data breach laws.  The result is that small- and medium-sized business will have an additional layer of compliance regulations as opposed to a more streamlined approach.  In addition, there are new fines that can be imposed on top of state fines.  Failure to comply with this regulation can lead to daily fines totaling $16,500 with an overall ceiling of $3 million.