As the push for Congress to pass comprehensive consumer privacy legislation increases, Rep. Suzan DelBene (D-WA) has re-introduced the Information Transparency & Personal Data Control Act, a compromise proposal that contains provisions sought by both parties. This bill would create national data privacy standards and increase the enforcement authority of the Federal Trade Commission (FTC) and state attorneys general. This proposal largely contains the same provisions as past versions of the bill, including:
- Opt-in Consent: First, the bill requires that users provide “affirmative, express consent” to any practice that involves the collection, sale or sharing of sensitive personal information with third parties if the third party use of their data would be for a purpose other than those outlined in the policy shared with users. It defines “sensitive personal information” as identifiable information, including financial and health information, information pertaining to children, Social Security numbers, geolocation information, immigration status, religious beliefs, and web browsing history. The definition excludes de-identified information.
- Opt-out Consent: For the collection or sharing of non-sensitive personal information, the bill requires that companies allows users to opt-out at any time.
- Privacy Policy Requirements: The bill also requires that companies provide their privacy policies in clear, plain language. They must ensure that policies include certain provisions, including the contact information of entities collecting or processing sensitive personal information, the purpose for the collection or sharing, how such information is protected, and how users may withdraw consent.
- Preemption: The bill also creates a national standard by preempting conflicting state laws, with the exception of state laws that involve data breach notifications, state biometric laws, and state wiretapping laws.
- Enforcement by the FTC and State Attorneys General: This bill empowers the FTC to enforce regulations promulgated under this bill as well as fine violators on the first offense. It also grants authority to state attorneys general to pursue violations if the FTC chooses not to pursue them on its own.
- Increased FTC Capacity: The bill appropriates $350,000,000 to the FTC for issues related to privacy and data security and authorizes the agency to hire 500 new full-time employees.
- Mandatory Audits: Finally, the bill requires companies that collect or share sensitive personal information to submit privacy audits every 2 years from a neutral third party.
The bill was introduced with 15 co-sponsors. Although the bill has not yet secured a Republican co-sponsor, many of the provisions seek to attract the support across the aisle. The U.S. Chamber of Commerce expressed its approval, stating that “it would enhance certainty by offering consumers clear and meaningful rights and would enable the business community to continue innovating.” Notably, the bill departs from the California Consumer Privacy Act and the General Data Protection Regulation by not affording consumers the right to delete information that a company has collected about them. Additionally, it preempts state laws and does not include a private right of action.
The text of the bill is available here. We will continue to monitor legislative developments on this front.