As the push for Congress to pass comprehensive consumer privacy legislation increases, Rep. Suzan DelBene (D-WA) has re-introduced the Information Transparency & Personal Data Control Act, a compromise proposal that contains provisions sought by both parties.  This bill would create national data privacy standards and increase the enforcement authority of the Federal Trade Commission (FTC) and state attorneys general. This proposal largely contains the same provisions as past versions of the bill, including:

  • Opt-in Consent: First, the bill requires that users provide “affirmative, express consent” to any practice that involves the collection, sale or sharing of sensitive personal information with third parties if the third party use of their data would be for a purpose other than those outlined in the policy shared with users. It defines “sensitive personal information” as identifiable information, including financial and health information, information pertaining to children, Social Security numbers, geolocation information, immigration status, religious beliefs, and web browsing history.  The definition excludes de-identified information.
  • Opt-out Consent: For the collection or sharing of non-sensitive personal information, the bill requires that companies allows users to opt-out at any time.
  • Privacy Policy Requirements: The bill also requires that companies provide their privacy policies in clear, plain language. They must ensure that policies include certain provisions, including the contact information of entities collecting or processing sensitive personal information, the purpose for the collection or sharing, how such information is protected, and how users may withdraw consent.
  • Preemption: The bill also creates a national standard by preempting conflicting state laws, with the exception of state laws that involve data breach notifications, state biometric laws, and state wiretapping laws.
  • Enforcement by the FTC and State Attorneys General: This bill empowers the FTC to enforce regulations promulgated under this bill as well as fine violators on the first offense. It also grants authority to state attorneys general to pursue violations if the FTC chooses not to pursue them on its own.
  • Increased FTC Capacity: The bill appropriates $350,000,000 to the FTC for issues related to privacy and data security and authorizes the agency to hire 500 new full-time employees.
  • Mandatory Audits: Finally, the bill requires companies that collect or share sensitive personal information to submit privacy audits every 2 years from a neutral third party.

The bill was introduced with 15 co-sponsors.  Although the bill has not yet secured a Republican co-sponsor, many of the provisions seek to attract the support across the aisle.  The U.S. Chamber of Commerce expressed its approval, stating that “it would enhance certainty by offering consumers clear and meaningful rights and would enable the business community to continue innovating.”  Notably, the bill departs from the California Consumer Privacy Act and the General Data Protection Regulation by not affording consumers the right to delete information that a company has collected about them.  Additionally, it preempts state laws and does not include a private right of action.

The text of the bill is available here.  We will continue to monitor legislative developments on this front.

 

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Andrew Longhi Andrew Longhi

Andrew Longhi advises national and multinational companies across industries on a wide range of regulatory, compliance, and enforcement matters involving data privacy, telecommunications, and emerging technologies.

Andrew’s practice focuses on advising clients on how to navigate the rapidly evolving legal landscape of state…

Andrew Longhi advises national and multinational companies across industries on a wide range of regulatory, compliance, and enforcement matters involving data privacy, telecommunications, and emerging technologies.

Andrew’s practice focuses on advising clients on how to navigate the rapidly evolving legal landscape of state, federal, and international data protection laws. He proactively counsels clients on the substantive requirements introduced by new laws and shifting enforcement priorities. In particular, Andrew routinely supports clients in their efforts to launch new products and services that implicate the laws governing the use of data, connected devices, biometrics, and telephone and email marketing.

Andrew assesses privacy and cybersecurity risk as a part of diligence in complex corporate transactions where personal data is a key asset or data processing issues are otherwise material. He also provides guidance on generative AI issues, including privacy, Section 230, age-gating, product liability, and litigation risk, and has drafted standards and guidelines for large-language machine-learning models to follow. Andrew focuses on providing risk-based guidance that can keep pace with evolving legal frameworks.