Last week, the Information Transparency and Personal Data Control Act became the first piece of comprehensive privacy legislation introduced in the 117th U.S. Congress. Its sponsor is Rep. Suzan DelBene, D-Wash. The bill appeared less than two weeks after Virginia become the second state, following California, to pass comprehensive privacy legislation.

The details

Broadly speaking, the proposed federal bill would create protections for the processing of sensitive personal information. For the collection, processing and sharing of non-sensitive information, meanwhile, companies would be required to allow consumers to opt out at any time.

More specifically, it would provide additional rulemaking authority to the Federal Trade Commission to devise requirements for entities that collect, transmit, store, process, sell, share or otherwise use the sensitive personal information of members of the public. These requirements would include obtaining “affirmative, express, and opt-in consent” for requests involving the collection, sale, sharing or other disclosure of sensitive personal information. Controllers would also be responsible for informing processors or third parties about the purposes and limits to the granted consent but would not be liable for processors’ failure to adhere to those limits.

“Sensitive personal information” is defined in the bill as financial account numbers and authentication credentials, such as usernames and passwords; health information; genetic data; any information pertaining to children under 13; Social Security numbers and any “unique government-issued identifiers”; precise geolocation information; the content of oral or electronic communications, such as email or direct messaging; personal call detail records; biometric data; sexual orientation, gender identity or intersex status; citizenship or immigration status; mental or physical health diagnoses, religious beliefs; and web browsing history and application usage history.

Information that is deidentified, public information and employee data would not fall under the definition of “sensitive personal information.” Written or verbal communication between a controller and a user for a transaction concerning the provision or receipt of a product or service would also not be counted as sensitive data.

Enforcement

The bill grants enforcement authority to both the FTC and state attorneys general. Notably, it does not include a private right of action.

To bolster the FTC’s resources to carry out its mandate, the bill would require the hiring of 500 new FTC employees, 50 of whom are to have “technology expertise.” It would also authorize $350 million in appropriations to the FTC for privacy and data security enforcement.

Where the FTC does not act within a 60-day period of discovering or being notified of a violation, the bill would enable any state attorney general to bring an action on behalf of their state’s residents in U.S. district court. Both the FTC and state attorneys general would be required to notify the controller of the alleged violation(s) and give them 30 days to “cure” non-willful violations before commencing an enforcement action.

Further provisions

Another key provision of the bill is the “plain English” requirement for privacy policies. Specifically, the bill would require companies to maintain privacy, security and data use policies that are “concise, intelligible, and use plain language.” They must be consistent with the FTC’s guidelines on “clear and conspicuous” disclosure, “use[] visualizations, where appropriate to make complex information understandable by the ordinary user,” and be provided free of charge.

At least once every two years, regulated entities processing sensitive data would also need to obtain and make public the result of a “privacy audit” from a “qualified, objective, independent third party.” Small businesses, defined as those that collect, store, process, sell, share or otherwise use the sensitive personal information of 250,000 people or fewer per year, would be exempt from the audit requirement.

Audits would be required to accomplish several things, including:

  1. Documenting the “privacy, security, and data use controls” implemented and maintained by the controller, processor or third party.
  2. Describing the appropriateness of such controls, given the “size and complexity” of the regulated entity, the “nature and scope” of its activities, and the “nature of sensitive personal information or behavioral data” that it collects.
  3. Certifying whether these controls “operate with sufficient effectiveness to provide reasonable assurance” that they protect the privacy and security of sensitive personal information or behavioral data.

Notably missing from the bill are provisions providing users with rights to access, correction or deletion. Such rights are included in the EU General Data Protection Regulation, California Consumer Privacy Act/California Privacy Rights Act and many other privacy laws. Perhaps most consequential, however, is the bill’s inclusion of a preemption provision. In her own words, DelBene has said that she thinks “it is much better to have a federal law versus a patchwork of laws from a consumer standpoint, but also from the standpoint of a small business.” The bill’s preemption clause would nullify state laws “related to the data privacy or associated activity of covered entities” but would not affect state laws related to data breaches, biometrics, wiretapping or public records.

Support for the bill

DelBene had introduced previous versions of the bill during the 115th Congress (2017–18) and 116th Congress (2019–20), as well. Those two proposals attracted two and 34 cosponsors, respectively, all of whom were Democrats, both stalled after being referred to the House Committee on Energy and Commerce.

The current bill also had the support of 15 Democratic cosponsors, although DelBene has said “there is a big opportunity to have it be bipartisan.” Vox’s Recode similarly described it as a bill that “Republicans might actually like” as it is “more business-friendly than other Democrats’ bills” and is actually “more on the right-leaning side of things than the left.” Indeed, many of the bill’s provisions appear to be “seek[ing] to attract the support across the aisle.”

The Chamber of Commerce has thrown its weight behind it, writing a letter to DelBene to applaud her leadership in introducing it. Others voicing support include the Network Advertising Initiative, National Retail Federation, Main Street Privacy Coalition, NetChoice, Information Technology and Innovation Foundation and BSA | The Software Alliance, which had also supported previous iterations of the bill. Amazon’s Public Policy arm also tweeted a message of thanks to DelBene for “advancing the discussion on federal privacy legislation and recognizing the importance of innovation.”

Predictions

The passage of a comprehensive federal privacy law remains a heated subject of debate and will probably only get hotter. While most privacy observers seem to believe that it would ultimately be “a good thing” for one to pass, there still exists a wide range of disagreement about how likely one is to become reality. Predictions range from it being “unlikely” to “only a matter of time.” In any case, it is important to recognize the diverse forces that are at play in the process, including not only the passage of state privacy laws, but also COVID-19, lobbying, U.S. diplomacy and international agreements. Of course, only time will tell what effect each of these will have on the prospects for and the final shape of any new federal privacy law.

Photo by Sarah MacClellan on Unsplash