Last week, the Information Transparency and Personal Data Control Act became the first piece of comprehensive privacy legislation introduced in the 117th U.S. Congress. Its sponsor is Rep. Suzan DelBene, D-Wash. The bill appeared less than two weeks after Virginia become the second state, following California, to pass comprehensive privacy legislation.
Broadly speaking, the proposed federal bill would create protections for the processing of sensitive personal information. For the collection, processing and sharing of non-sensitive information, meanwhile, companies would be required to allow consumers to opt out at any time.
More specifically, it would provide additional rulemaking authority to the Federal Trade Commission to devise requirements for entities that collect, transmit, store, process, sell, share or otherwise use the sensitive personal information of members of the public. These requirements would include obtaining â€œaffirmative, express, and opt-in consentâ€� for requests involving the collection, sale, sharing or other disclosure of sensitive personal information. Controllers would also be responsible for informing processors or third parties about the purposes and limits to the granted consent but would not be liable for processorsâ€™ failure to adhere to those limits.
â€œSensitive personal informationâ€� is defined in the bill as financial account numbers and authentication credentials, such as usernames and passwords; health information; genetic data; any information pertaining to children under 13; Social Security numbers and any â€œunique government-issued identifiersâ€�; precise geolocation information; the content of oral or electronic communications, such as email or direct messaging; personal call detail records; biometric data; sexual orientation, gender identity or intersex status; citizenship or immigration status; mental or physical health diagnoses, religious beliefs; and web browsing history and application usage history.
Information that is deidentified, public information and employee data would not fall under the definition of â€œsensitive personal information.â€� Written or verbal communication between a controller and a user for a transaction concerning the provision or receipt of a product or service would also not be counted as sensitive data.
The bill grants enforcement authority to both the FTC and state attorneys general. Notably, it does not include a private right of action.
To bolster the FTCâ€™s resources to carry out its mandate, the bill would require the hiring of 500 new FTC employees, 50 of whom are to have â€œtechnology expertise.â€� It would also authorize $350 million in appropriations to the FTC for privacy and data security enforcement.
Where the FTC does not act within a 60-day period of discovering or being notified of a violation, the bill would enable any state attorney general to bring an action on behalf of their stateâ€™s residents in U.S. district court. Both the FTC and state attorneys general would be required to notify the controller of the alleged violation(s) and give them 30 days to â€œcureâ€� non-willful violations before commencing an enforcement action.
Another key provision of the bill is the â€œplain Englishâ€� requirement for privacy policies. Specifically, the bill would require companies to maintain privacy, security and data use policies that are â€œconcise, intelligible, and use plain language.â€� They must be consistent with the FTCâ€™s guidelines on â€œclear and conspicuousâ€� disclosure, â€œuse visualizations, where appropriate to make complex information understandable by the ordinary user,â€� and be provided free of charge.
At least once every two years, regulated entities processing sensitive data would also need to obtain and make public the result of a â€œprivacy auditâ€� from a â€œqualified, objective, independent third party.â€� Small businesses, defined as those that collect, store, process, sell, share or otherwise use the sensitive personal information of 250,000 people or fewer per year, would be exempt from the audit requirement.
Audits would be required to accomplish several things, including:
- Documenting the â€œprivacy, security, and data use controlsâ€� implemented and maintained by the controller, processor or third party.
- Describing the appropriateness of such controls, given the â€œsize and complexityâ€� of the regulated entity, the â€œnature and scopeâ€� of its activities, and the â€œnature of sensitive personal information or behavioral dataâ€� that it collects.
- Certifying whether these controls â€œoperate with sufficient effectiveness to provide reasonable assuranceâ€� that they protect the privacy and security of sensitive personal information or behavioral data.
Notably missing from the bill are provisions providing users with rights to access, correction or deletion. Such rights are included in the EU General Data Protection Regulation, California Consumer Privacy Act/California Privacy Rights Act and many other privacy laws. Perhaps most consequential, however, is the billâ€™s inclusion of a preemption provision. In her own words, DelBene has said that she thinks â€œit is much better to have a federal law versus a patchwork of laws from a consumer standpoint, but also from the standpoint of a small business.â€� The billâ€™s preemption clause would nullify state laws â€œrelated to the data privacy or associated activity of covered entitiesâ€� but would not affect state laws related to data breaches, biometrics, wiretapping or public records.
Support for the bill
DelBene had introduced previous versions of the bill during the 115th Congress (2017â€“18) and 116th Congress (2019â€“20), as well. Those two proposals attracted two and 34 cosponsors, respectively, all of whom were Democrats, both stalled after being referred to the House Committee on Energy and Commerce.
The current bill also had the support of 15 Democratic cosponsors, although DelBene has said â€œthere is a big opportunity to have it be bipartisan.â€� Voxâ€™s Recode similarly described it as a bill that â€œRepublicans might actually likeâ€� as it is â€œmore business-friendly than other Democratsâ€™ billsâ€� and is actually â€œmore on the right-leaning side of things than the left.â€� Indeed, many of the billâ€™s provisions appear to be â€œseek[ing] to attract the support across the aisle.â€�
The Chamber of Commerce has thrown its weight behind it, writing a letter to DelBene to applaud her leadership in introducing it. Others voicing support include the Network Advertising Initiative, National Retail Federation, Main Street Privacy Coalition, NetChoice, Information Technology and Innovation Foundation and BSA | The Software Alliance, which had also supported previous iterations of the bill. Amazonâ€™s Public Policy arm also tweeted a message of thanks to DelBene for â€œadvancing the discussion on federal privacy legislation and recognizing the importance of innovation.â€�
The passage of a comprehensive federal privacy law remains a heated subject of debate and will probably only get hotter. While most privacy observers seem to believe that it would ultimately be â€œa good thingâ€� for one to pass, there still exists a wide range of disagreement about how likely one is to become reality. Predictions range from it being â€œunlikelyâ€� to â€œonly a matter of time.â€� In any case, it is important to recognize the diverse forces that are at play in the process, including not only the passage of state privacy laws, but also COVID-19, lobbying, U.S. diplomacy and international agreements. Of course, only time will tell what effect each of these will have on the prospects for and the final shape of any new federal privacy law.
Photo by Sarah MacClellan on Unsplash