Dueling Senate Data Privacy Measures Recognize Distinction Between HR and Consumer Data

December 06, 2019

Senate Commerce Committee Chairman Roger Wicker (R-MS) and Ranking Member Maria Cantwell (D-WA) released separate consumer data privacy measures that both seek to exclude HR data from their provisions along lines recommended by the HR Policy Association.

In a hearing this week, the Commerce Committee discussed the two measures, with both Republicans and Democrats expressing agreement about the urgent need for a sweeping consumer data privacy law that provides many of the same rights as the California Consumer Privacy Act.

The elephants in the room:  While consensus is emerging in many other areas, Democrats and Republicans have been split on the issues of preemption and a private right of action.  Accordingly, Sen. Cantwell’s Consumer Online Privacy Rights Act (COPRA) includes a strong private right of action and does not preempt state laws.  Meanwhile, Sen. Wicker’s draft bill, the U.S. Consumer Data Privacy Act (USCDPA), preempts state laws and does not appear to include a private right of action.

Glimmers of compromise?  “[People] want a law,” said Sen. Richard Blumenthal (D-CN), who is expected to introduce his own measure.  “And you will see state laws all around the country—hopefully they won’t create too much inconsistency, but that’s where we’re going if we fail to act.”  Meanwhile, several Republicans suggested openness to a limited private right of action. 

Sen. Cantwell's COPRA attempts to exempt HR data by removing “employee data” from its definition of “covered data.” 

However:  There are several significant issues with the bill from an HR perspective.

  • If not deemed “necessary for the individual’s employment or application for employment,” data about employees and job candidates would be still subject to COPRA.  The bill does not clarify how to determine which data would be “necessary” for an individual’s employment.

  • Data about contractors, officers, directors, and owners of covered entities may be fair game.  Ambiguities in the language could lead to contractor data being subject to COPRA.  Additionally, officers, directors, and owners of covered entities are not addressed anywhere in COPRA’s definition of employee data, suggesting their information would be subject to COPRA’s requirements.

  • Employer diversity efforts under scrutiny?  In a “Civil Rights” section, the bill would ban processing of covered data on the basis of “race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, biometric information, lawful source of income, or disability” for purposes of advertising, determining eligibility for, and offering employment, among other activities.  This could implicate an employer’s use of data in its diversity and inclusion strategies.

Sen. Wicker’s USCDPA also contains language excluding HR data, while being generally similar to Sen. Cantwell’s effort in a number of other areas. 

  • “Employee data” is defined broadly under the bill as “information relating to an individual collected by a covered entity in the course of the individual acting as a job applicant to, an employee of, owner of, director of, officer of, staff member of, or contractor of the entity, provided that such information is collected, processed, or transferred by the covered entity solely for purposes related to the individual’s status as a current or former job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that covered entity.” 

The potential downside of excluding HR data:  Notably, by exempting HR data, a federal bill likely would not preempt state efforts to regulate HR data.

What happens next:  While the Wicker and Cantwell measures will receive consideration in the Commerce Committee because of their leadership positions there, numerous other bills have already been introduced, with more yet to come.  Despite this activity, there is no space for action on any comprehensive consumer data privacy measure before the end of the year.  And with elections just around the corner, the prospects of a federal bill gaining momentum in 2020 seem similarly slim.  However, as Sen. Blumenthal noted, states will continue to legislate, placing more pressure on Congress to act in 2021.  With a provision excluding HR data from California’s data privacy law expiring on January 1, 2021, expect the policy conversation there, and perhaps nationally, to become more focused on HR data practices.  HR Policy will continue to be engaged on this issue by leading a coalition of member companies and business groups to aid lawmakers in recognizing the unintended consequences of such measures.