On March 10, 2021, Rep. Suzan DelBene (D-Wash.) introduced the first comprehensive consumer privacy bill of the 117th Congress. The Information Transparency and Personal Data Control Act is designed to “establish a uniform set of rights for consumers and create one set of rules for businesses to operate in,” according to a press release from Rep. DelBene accompanying the bill. While she expressed the need for a “a clear domestic policy” in order to “shape standards abroad [or] risk letting others, like the European Union, drive global policy,” the bill’s text notes that it “complements global standards” and borrows many concepts made familiar by the GDPR.
The bill has the support of a number of consumer privacy and technology organizations, including the Main Street Privacy Coalition, the U.S. Chamber Technology Engagement Center (C_TEC), TechNet, BSA | The Software Alliance, and the Progressive Policy Institute. It also contains a number of concessions to business interests, most notably preemption of some state privacy laws, no private right of action, and an expansion (from a previous draft of the bill) of the audit requirement from one year to two. Still, the bill currently has no Republican co-sponsors.
Among the bills key provisions are:
Sensitive Personal Information
- The bill is primarily geared toward the protection of “sensitive personal information,” with the preamble indicating that its purpose is to “require the Federal Trade Commission to promulgate regulations related to sensitive personal information, and for other purposes.”
- Sensitive personal information is broadly defined to include:
- Financial account numbers
- Health information
- Genetic data
- Any information pertaining to children under 13
- Social Security Numbers
- Unique government-issued identifiers
- Authentication credentials for a financial account, including username and password
- Precise geolocation information
- Content of a personal communication, including email or text message, for any entity not an intended recipient
- Personal call detail records
- Biometric information
- Sexual orientation, gender identity, or intersex status
- Citizenship or immigration status
- Mental or physical health diagnosis
- Religious beliefs
- Web browsing history, application usage history, or the functional equivalent
- Excluded from the definition of sensitive personal information are:
- De-identified information
- Employment or employee information
- Communications between the controller and a representative of an entity
- Publicly available information
- Under the bill, controllers are required to obtain “affirmative, express, and opt-in consent” for the processing of sensitive personal information. The scope of the consent limits the permissible uses of the information.
- Controllers will be held liable for their processors’ failure to obtain consent.
- Opt-out consent is sufficient for the processing of non-sensitive personal information.
- Controllers that communicate such opt-outs to processors will not be liable for the processor’s failure to comply.
“Plain” English Privacy Notices
- Section 3(a)(2) of the bill calls for clear and conspicuous privacy, security, and data use policies that are “concise, intelligible, and uses plain language.”
- The policy must contain (1) contact information for the controller and processors, (2) purposes of processing, (3) categories of third parties with which sensitive personal information will be shared, (4) categories of sensitive information collected and shared, (5) how a user can view or obtain that information, (6) steps taken to protect that information, and (7) how consent can be withdrawn.
- Section 3(a)(5) requires the controller-processor relationship to be governed by a contract that limits the processor to process personal data – not limited to sensitive personal data – only on documented instructions.
- The bill requires controllers and processors of “sensitive” personal information to obtain a privacy audit from a “qualified, objective, independent third party” once every two years that sets out the privacy, security and data use controls implemented and maintained during the reporting period, and analyzes whether the controls are appropriate for the size and nature of the organization’s operations.
- The privacy audit must be presented on demand to the FTC or a state authority upon request. The summary of the audit – whether the controller or processor was compliant with the bill – must be made publicly available.
- Small business – i.e., those that process the sensitive information of fewer than 250,000 individuals yearly – and companies that don’t process “sensitive” information would be exempt from the audit requirement.
- Section 3(b) limits those processing activities subject to the bill. Permissible processing that would not require opt-in consent include (1) preventing or detecting fraud, (2) identifying errors that impair functionality, (3) protecting the vital interests of consumers, (4) responding to subpoenas or valid law enforcement requests, (5) enforcing agreements, (6) protecting against unauthorized access, (7) advancing a substantial public interest, so long as such processing does not create a significant risk of harm, (8) authorized uses under the FCRA, (9) completing the transaction for which the information was collected, (10) complying with laws, and (11) conducting product recalls or servicing warranties.
- The bill also allows an exemption for processing that falls within the reasonable expectations of the user. Notably, that exemption covers marketing products and inviting new users to participate in promotions or loyalty programs.
FTC Rulemaking and Concurrent FTC/State Enforcement
- The bill centralizes federal privacy enforcement in the Federal Trade Commission. Within 18 months of enactment, Section 3(a) of the bill requires the FTC to promulgate regulations concerning the opt-in consents, privacy and data use policies, contracts between controllers and processors, and privacy audits.
- To accomplish this, the bill provides the FTC with $350 million to hire 500 additional staff focused on privacy and data security, with 50 having technical expertise.
- Section 4(b)(1), titled “Unfair or Deceptive Acts or Practices,” makes any violation of the bill a violation of Section 18(a)(1)(B) of the FTC Act. While the FTC traditionally pursues remedies for unfair and deceptive practices under Section 5(a) of the FTC Act, which does not allow for civil monetary penalties, Section 18 allows the FTC obtain penalties. While it is not clear from the bill whether the FTC would be able to seek penalties for violations, it is likely that the FTC will assert such authority.
- Controllers are given 30 days to cure non-willful violations of the bill.
- State authorities are limited to seeking injunctive relief. State authorities must also give the FTC an opportunity to bring an action first.
- Under Section 9(a), the bill preempts any state “law, regulation, rule, requirement, or standard related to the data privacy or associated activities of covered entities.”
- The bill does preempt many state laws, including those that “directly establish requirements for the notification of consumers in the event of a data breach,” biometric laws, wiretapping laws, and laws like the Public Records Act.
No Private Right of Action
- The bill does not contain a private right of action. Enforcement is limited to the FTC and state authorities.