As the push for Congress to pass comprehensive consumer privacy legislation increases, Rep. Suzan DelBene (D-WA) has re-introduced the Information Transparency & Personal Data Control Act, a compromise proposal that contains provisions sought by both parties.  This bill would create national data privacy standards and increase the enforcement authority of the Federal Trade Commission (FTC) and state attorneys general. This proposal largely contains the same provisions as past versions of the bill, including:

  • Opt-in Consent: First, the bill requires that users provide “affirmative, express consent” to any practice that involves the collection, sale or sharing of sensitive personal information with third parties if the third party use of their data would be for a purpose other than those outlined in the policy shared with users. It defines “sensitive personal information” as identifiable information, including financial and health information, information pertaining to children, Social Security numbers, geolocation information, immigration status, religious beliefs, and web browsing history.  The definition excludes de-identified information.
  • Opt-out Consent: For the collection or sharing of non-sensitive personal information, the bill requires that companies allows users to opt-out at any time.
  • Privacy Policy Requirements: The bill also requires that companies provide their privacy policies in clear, plain language. They must ensure that policies include certain provisions, including the contact information of entities collecting or processing sensitive personal information, the purpose for the collection or sharing, how such information is protected, and how users may withdraw consent.
  • Preemption: The bill also creates a national standard by preempting conflicting state laws, with the exception of state laws that involve data breach notifications, state biometric laws, and state wiretapping laws.
  • Enforcement by the FTC and State Attorneys General: This bill empowers the FTC to enforce regulations promulgated under this bill as well as fine violators on the first offense. It also grants authority to state attorneys general to pursue violations if the FTC chooses not to pursue them on its own.
  • Increased FTC Capacity: The bill appropriates $350,000,000 to the FTC for issues related to privacy and data security and authorizes the agency to hire 500 new full-time employees.
  • Mandatory Audits: Finally, the bill requires companies that collect or share sensitive personal information to submit privacy audits every 2 years from a neutral third party.

The bill was introduced with 15 co-sponsors.  Although the bill has not yet secured a Republican co-sponsor, many of the provisions seek to attract the support across the aisle.  The U.S. Chamber of Commerce expressed its approval, stating that “it would enhance certainty by offering consumers clear and meaningful rights and would enable the business community to continue innovating.”  Notably, the bill departs from the California Consumer Privacy Act and the General Data Protection Regulation by not affording consumers the right to delete information that a company has collected about them.  Additionally, it preempts state laws and does not include a private right of action.

The text of the bill is available here.  We will continue to monitor legislative developments on this front.

 

 

Print:
EmailTweetLikeLinkedIn
Photo of Kurt Wimmer Kurt Wimmer

Kurt Wimmer is a partner concentrating in privacy, data protection and technology law.  He advises national and multinational companies on privacy, data security and technology issues, particularly in connection with online and mobile media, targeted advertising, and monetization strategies.  Mr. Wimmer is rated…

Kurt Wimmer is a partner concentrating in privacy, data protection and technology law.  He advises national and multinational companies on privacy, data security and technology issues, particularly in connection with online and mobile media, targeted advertising, and monetization strategies.  Mr. Wimmer is rated in the first tier by Legal 500, designated as a national leader in Chambers USA, and is included in Best Lawyers in America in four categories.  He represents companies and associations on public policy matters before the FTC, FCC, Congress and state attorneys general, as well as in privacy assessments and policies, strategic content ventures, copyright protection and strategy, content liability advice, and international matters.

Andrew Longhi

Andrew Longhi is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Communications and Media Practice Groups. Andrew advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, commercial transactions…

Andrew Longhi is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Communications and Media Practice Groups. Andrew advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, commercial transactions involving personal information and cybersecurity risk, and responses to regulatory inquiries. Andrew is Admitted to the Bar under DC App. R. 46-A (Emergency Examination Waiver); Practice Supervised by DC Bar members.