Leahy Introduces The Consumer Privacy Protection Act

Senator Patrick Leahy (D-Vt.), joined by six other senators, Tuesday introduced comprehensive consumer privacy legislation to protect Americans’ sensitive personal information against cyberattacks and to ensure timely notification and protection when data is breached.

Leahy’s Consumer Privacy Protection Act of 2017 would require companies to take preventive steps to defend against cyberattacks and data breaches, and to quickly provide consumers with notice and appropriate protection when a data breach occurs.  The bill addresses the kinds of security breaches that have affected multiple companies – most notably the recent, massive Equifax breach that exposed the personal information of almost half the American population. This sensitive consumer information is increasingly targeted by both criminal hackers and hostile foreign powers.

Leahy said:  “Companies that profit from our personal information should be obligated to take steps to keep it safe, and to provide notice and protection to consumers when those protections have failed.  This is a comprehensive program to help ensure that when Americans entrust corporations with their most sensitive personal information, these firms take the right steps to keep it secure and to do the right thing if breaches do occur.  In today’s world, data security is no longer just about protecting our identities and our bank accounts; it is about protecting our privacy and even our national security.”

The bill is cosponsored by Senators Ed Markey (D-Mass.), Richard Blumenthal (D-Conn.); Ron Wyden (D-Ore.), Al Franken (D-Minn.), Tammy Baldwin (D-Wisc.), and Kamala Harris (D-Calif.) who have long shared Leahy’s commitment to consumer privacy protection. 

The Consumer Privacy Protection Act requires that corporations meet certain baseline privacy and data security standards to keep information they store about consumers safe, and it requires that these firms provide notice and protection to consumers in the event of a breach.  This legislation protects broad categories of data, including: (1) social security numbers and other government-issued identification numbers; (2) financial account information, including credit card numbers and bank accounts; (3) online usernames and passwords, including email names and passwords; (4) unique biometric data, including fingerprints and faceprints; (5) information about a person’s physical and mental health; (6) information about geolocation; and (7) access to private digital photographs and videos.

This Consumer Privacy Protection Act has the support of leading consumer privacy advocates, including the Center for Democracy and Technology, the Consumer Federation of America, New America’s Open Technology Institute, and Public Knowledge.

Consumer Federation of America’s Susan Grant, director of Consumer Protection Privacy, said:  “This bill takes the right approach to address our data breach crisis by requiring strong security measures to be implemented from the start, not just notice after a breach has occurred.”

Michelle De Mooy, director of Privacy and Data at the Center for Democracy & Technology, said:  “As Americans are well aware, data breaches have become ubiquitous but they are not inevitable; enacting common sense legislation to hold companies accountable for their data practices is long overdue.  We are pleased to support Senator Leahy’s bill, which protects both Americans’ personal information and their ability to trust the digital ecosystem.”

The full text of the bill can be found here.  Leahy’s statement on the bill in the Congressional Record can be found here.

Press Contact

David Carle: 202-224-3693