At Last: US Proposes Federal Data Privacy Law
At long last, a comprehensive federal data privacy bill has been introduced in the US legislature by Representative Suzan DelBene (D-Washington). Known at the Information Transparency and Personal Data Control Act (ITPDCA) ensures the protection of “our most sensitive personal information including financial, health, genetic, biometric, geolocation, sexual orientation, citizenship and immigration status, social security numbers, religious beliefs, and information pertaining to children under 13 years of age.”
ITPDCA seeks to create a balanced, high-standard privacy framework that “complements global standards.” The law seeks to establish nationwide consumer rights and give federal authorities the resources they need to protect consumers from deceptive data practices. Here’s what you need to know.
Key Elements
According to a press release, there are six key elements of the bill:
Privacy policies should be written and provided in plain English;
Users should be able to opt-in before companies use their sensitive personal information in unexpected ways;
Organizations must disclose any third-parties with which the information was shared, including the reasons for disclosure;
The bill attempts to preempt conflicting state laws by creating a cohesive national data privacy standard;
If the Federal Trade Commission (FTC) chooses not to enforce the regulations on the first offense, state attorneys may penalize for violations;
Organizations must submit privacy audits conducted by a neutral third party every two years.
PODCAST: U.S. NATIONAL PRIVACY LEGISLATION
LISTEN NOW
Consumer Rights
In short, the bill seeks to grant consumers control over their data that. Consumers would have the right to clear and accessible information about privacy and security practices–and expect organizations to handle their data securely and responsibly, use it in ways that “are consistent with the context in which the consumers provide the data,” and respect “reasonable limits” on what data they can collect and retain.
And like other big privacy laws, the bill maintains that consumers should be able to access and correct personal data in usable formats.
Opt-In Consent and Privacy Policy
The bill is centered around the concept of affirmative, express and opt-in consent, maintaining that organizations that collect, transmit, store, process, sell or share sensitive personal data must inform consumers of their practices through a privacy and data use policy. Upon notification, the subject must clearly consent to collection practices.
In addition to the aforementioned “plain English” requirement, privacy policies must be clearly and conspicuously consistent with FTC guidelines and must use visualizations–when appropriate–to aid the understanding of the user. Organizations may not charge users for access to such policies.
The policy must include:
Contact information for the entity collecting and processing the data
The purpose of the data activity
The categories of data collected
The categories of third parties with whom the data will be shared
How subjects can withdraw consent or view and obtain data collected from them
Whether subjects can export their data to other web-based platforms upon access
Measures taken to protect data from unauthorized access or acquisition
The caveat is that, if a consumer consents to the sale or disclosure of their data to a third-party, the organization is not responsible for the failure of that third-party to adhere to the limits of consent.
Opt-Out Consent
While consumers must opt-in to any activity involving sensitive personal data, the same standard does not apply for non-sensitive personal data. However, for such data activity, consumers have the ability to opt-out. Controllers and processors must honor opt-out requests and communicate the request to any third-party to which they disclosed the data. If the third-party fails to comply, the controller is not liable.
Controller and Processor Relationships
For processing to occur, there must be a binding contract between processor and controller detailing how the processor can process the data.
Processors may only share sensitive personal information with a subcontractor for the purposes of providing services. In such circumstances, they may only do so after providing the controller with an opportunity to object.
Audits
The bill requires any controller, processor or third party that uses sensitive personal data to obtain an audit from an objective, independent and qualified third-party at least once every two years. This audit should determine whether the entity was found compliant, a decision that shall be made publicly available. The audits must include:
The privacy, security and data use controls implemented and maintained by the entity
How these controls are appropriate for the size and complexity of the data activity and the nature of the data
Certification that these controls are effectively protecting the security and privacy of the data
Audits must address any substantial change to the entity’s privacy and data use policies. The audits must be provided to the FTC immediately and to the state Attorney General, within ten days of a request.
Entities that use sensitive personal information relating to 250,000 or fewer individuals per year are exempt for the audit requirements. Additionally, it does not apply to data activity authorized by the Fair Credit Reporting Act or for the purpose of:
Preventing or detecting criminal activity;
Enhancing or identifying errors in the controller’s ability to provide a service;
Protecting an individual’s interests;
Legal obligation;
Monitoring or enforcing agreements between controllers, processors or third parties;
Protecting property, services or information systems from unauthorized access;
Advancing a “substantial public interest”, such as scientific, historical or public health research;
Completing the transaction requested by the consumer for which the personal information was collected;
Conducting product recalls or servicing warranties.
Enforcement
This act will be enforced by the FTC. In the case of a non-willful violation, the FTC will notify the violator and provide them with 30 days to cure it.
If no enforcement action is taken by the FTC, a state attorney general may bring an action if a violation of the act is alleged to affect the state or its residents, providing written notice of the action to the FTC.