Federal Privacy Bill Reintroduced in Congress
Proposal Would Empower FTC, States to Enforce Privacy RegulationsU.S. Rep. Suzan DelBene, D-Wash., has reintroduced a bill that would create a nation-wide data privacy standard to be enforced by the Federal Trade Commission that in its latest version is intended to gather bipartisan support by addressing specific Republican concerns.
See Also: Netskope FERPA Mapping Guide
DelBene's Information Transparency and Personal Data Control Act, if passed, would replace a patchwork of current state laws and provide an influx of $350 million to the Federal Trade Commission's budget to enforce these proposed regulations.
"The new DelBene bill marks an interesting start for the relaunch of the effort to advance federal privacy law," says Omer Tene, vice president of the International Association of Privacy Professionals. "Specifically, while coming from the Democrats' side of the aisle, the bill is largely preemptive of state privacy laws and would not allow a private right of action."
Tene points out that these two issues have been a lightning rod for Republicans in the past and hindered any attempt to bridge the gap between the two sides in Congress this year. "So it's worth noting that Democrats supporting this bill are making a significant stride to meet Republicans' demands," he says.
DelBene's bill is designed to protect a wide swath of personal information by requiring businesses to obtain consumer consent prior to sharing their data, and companies would also be required to write their privacy policies in easy-to-understand language.
"With states understandably advancing their own legislation in the absence of federal policy, Congress needs to prioritize creating a strong national standard to protect all Americans," says DelBene.
This is the fourth time DelBene has attempted to have this legislation enacted.
The bill currently has no Republican co-sponsors.
If passed, the bill would require the FTC to hire 500 additional employees who would focus on privacy and data security issues, 50 of whom must have technical expertise in the area. Exactly what this would entail, however, is not further defined. DelBene's bill also calls for the FTC to receive $350 million to implement the plan.
"This will place the FTC at the forefront of the global regulatory effort to implement data protection laws and develop privacy policies," Tene says.
What Is Protected?
The sensitive information covered by the bill includes financial, health, genetic, biometric and geolocation data; sexual orientation; citizenship and immigration status; Social Security number and religious belief. It would also offer extra protection to the data of children under 13 years old.
If passed, the bill calls for creating a balanced, high-standard digital privacy framework that complements global standards and a strong national standard to combat anti-consumer practices. It also requires that the federal government provide guidance on the proper collection, processing, disclosure, transmission and storage of sensitive data and ensure enforcement authorities have the resources needed to protect consumers.
Businesses would be required to submit to a privacy audit every two years conducted by an independent third-party.
If adopted, the Information Transparency and Personal Data Control Act would also supplant any similar state legislation currently in use, the bill states.
Enforcement
Unlike the California Consumer Privacy Act and the EU's General Data Protection Regulation, DelBene's bill does not include a fine structure or a breakdown of the type and size of businesses affected.
The CCPA, which went into full effect in January 2020, calls for a maximum penalty of $7,500 and is reserved only for intentional violations of the CCPA. Unintentional violations remain subject to a preset $2,500 maximum fine. GDPR, which went into effect May 2018, empowers EU regulators to levy fines of up to 4% of an organization's annual global revenue or 20 million euro ($22.2 million) - whichever is greater - if they violate Europeans' privacy rights,
Under the CCPA and GDPR, individuals also have the right to take civil action against a company, a point that is lacking in DelBene's bill.
Delbene's bill does, however, give the FTC and all state attorneys general enforcement powers. Once a violation has been brought before the FTC, the offending business has 30 days to rectify the problem before any enforcement action is undertaken (see: It's Official: CCPA Enforcement Begins).
A state may also bring an action in a case on behalf of a state or its residents after submitting written notification to the FTC, according to a draft of the bill.
Specific Action Items
- Plain English: Requires companies to provide their privacy policies in plain English.
- Opt-in: Allows users to opt-in before companies can use their most sensitive private information in ways they might not expect.
- Disclosure: Increases transparency by requiring companies to disclose if and with whom they will share the consumer's personal information and the purpose of sharing the information.
- Preemption: Creates a unified national standard and avoids a patchwork of different privacy standards by preempting conflicting state laws.
- Enforcement: Gives the FTC strong rulemaking authority to keep up with evolving digital trends and the ability to fine bad actors on the first offense. It also empowers state attorneys general to pursue violations if the FTC chooses not to act.
- Audits: Establishes strong "privacy hygiene" by requiring companies to submit privacy audits every two years from a neutral third party.
The bill has six primary requirements:
Current State Legislation
In the absence of federal regulations, privacy legislation is in motion this year in Minnesota, New York, Washington and Oklahoma. If the other bills are passed, this would bring the number of states with their own privacy standards to eight, as California, Nevada and Maine have previously adopted such standards, and Virginia passed its Consumer Data Protection Act on March 2.
The majority of bills being considered at the state level are modeled on the recently instituted California Privacy Rights Act and Washington state's privacy standards (see: Privacy Legislation Progresses in 5 More States).