November 22, 2019
Top Democrats in the Senate committees with jurisdiction over data privacy released a federal consumer privacy law framework that leaves open the possibility that its requirements would cover HR data.
HR data not mentioned, but “consumer” undefined: The framework fails to differentiate between data in the consumer context and data in the employment context. The California Consumer Privacy Act as originally written also did not distinguish between consumer and HR data until California lawmakers amended the law to avoid significant issues. Many of the rights listed in the Framework, including the "right to know, access, delete," and "correct" personal data, are found within the CCPA.
AI targeted: As is increasingly becoming a feature of data privacy measures, algorithmic decision-making systems were highlighted for their potential to cause disparate impact scenarios. “Consumers must have transparency into black box algorithmic decisions,” the framework reads, “that may result in bias or discrimination, and the ability to challenge such decisions. Entities that process consumer data in automated systems must be required to review such algorithms in order to prevent discriminatory impact.” Previous bills with similar language on AI, including Reps. Anna Eshoo (D-CA) and Zoe Lofgren's (D-CA) recently-introduced Online Privacy Act (H.R. 4978), would apply to hiring and possibly other HR-related contexts.
Rigorous enforcement: The framework requires that federal enforcement agencies be able to seek “significant civil fines and criminal penalties, where possible, in the first instance of privacy and data security violations.” In addition, the framework calls for a “meaningful” private right of action and banning mandatory arbitration clauses that would prevent such action.
No preemption: Although asserting that federal enforcement “must be complemented by state enforcement of federal protections,” the framework does not mention that a federal law would have any preemptive character, nor does it limit states from creating their own data privacy laws.
Senate Democratic leadership helms the effort: Commerce Committee ranking member Maria Cantwell (D-WA), Judicial Committee ranking member Diane Feinstein (D-CA), HELP Committee ranking member Sen. Patty Murray (D-WA), and Banking Committee ranking member Sen. Sherrod Brown (D-OH) signed the framework. It was endorsed by Sens. Brian Schatz (D-HI), Ed Markey (D-MA), Ron Wyden (D-OR), and Senate Democratic leader Chuck Schumer (D-NY), who tasked the senators with drafting the framework.
What it means: The framework features significant backing by Senate Democratic leadership, a notable marker of unity on an issue that has lacked consensus to this point. Yet any legislatin without preemption or limiting a private right of action, both of which the framework lacks, is unlikely to receive support from the other side of the aisle.