The Information Transparency and Personal Data Control Act
On March 11, 2021, Rep. Suzan DelBene (D-WA) introduced the House of Representatives’ first major privacy bill in the 117th Congress. Rep. DelBene recently joined an episode of the Association for Data and Cyber Governance’s U.S. National Privacy and Cybersecurity Podcast to discuss The Information Transparency and Personal Data Control Act ( H.R. 1816 ).
Absent national privacy legislation, U.S. states have been forced to enact their own laws. In 2018, the California Consumer Privacy Act (CCPA) became the first comprehensive data privacy bill to be signed into law with Virginia and Colorado following suit with similar legislation this year.
While consumer privacy advocates are applauding the progress, this patchwork of state laws is widely recognized as an untenable solution. On the podcast, Rep. DelBene called on Congress to establish a uniform standard: “having fifty different state laws will be incredibly problematic and will not help protect consumers.”
Differing standards across jurisdictions also can create a burden for businesses, which often shoulder the cost of compliance. Initial implementation of CCPA alone is projected to reach $55 billion in costs. Rep. DelBene, a former Microsoft executive, noted that small businesses especially are hurt by differing standards. “How do you keep up with that? How do you know that when someone has gone from one jurisdiction to another that your policy has to change?”
That’s why Rep. DelBene wants the Information Transparency and Personal Data Control Act to preempt state laws. Her hope is that the bill–if passed–will provide much needed clarity for companies and protection for people. H.R. 1816 would require companies to make privacy policies that use “plain language” and “visualizations, where appropriate to make complex information understandable by the ordinary user.”
The bill also tackles the opt-in vs. opt-out debate. Users can opt-in before companies use their sensitive personal information in ways they might not expect, while retaining the right to opt-out at any time from the collection or sharing of their non-sensitive personal information. This differs from other legislation, like Sen. Jerry Moran’s (R-MS) SAFE DATA Act which has no opt-in protections and only provides an opt-out option prior to the collection of protected data.
Under H.R. 1816, companies will also have to disclose who they are sharing personal information with and for what purpose. However, the most important and contentious aspect of privacy legislation is the enforcement mechanism.
H.R. 1816 gives the Federal Trade Commission (FTC) strong rulemaking authority, and the ability to fine bad actors on the first offense. Rep. DelBene says, “the FTC is the most appropriate agency to do enforcement.” Other proposals, like the Data Protection Act introduced by Sen. Kirsten Gillibrand (D-NY), would create a new agency to handle enforcement. Creating a new agency, “is difficult and time consuming and there is probably overlap with existing agencies,” says Rep. DelBene, who adds that empowering the FTC, “helps all of this come together more quickly.” To carry out its enforcement duties, the FTC would be granted $350 million to hire 500 new full-time employees. If the FTC chooses not to act on a privacy violation, state attorneys general would be able to bring an action on behalf of the state’s citizens. Unlike CCPA, there is no private right of action included in order to limit the harmful impact of litigation on small businesses. However, businesses will have to undergo a privacy audit every two years by a neutral third party.
So far, the bill has attracted 19 co-sponsors and support from influential industry groups like the Information Technology and Innovation Foundation, Main Street Privacy Coalition, U.S. Chamber Technology Engagement Center, and the National Retail Federation among others. National privacy legislation also has support from another key group–the American people. A recent Morning Consult poll found that 83 percent of Americans want Congress to pass a national privacy bill.
“Privacy really is an issue of civil rights, civil liberties, human rights, and we are behind,” DelBene says, noting that GDPR has made Europe the leader in global data privacy protections: “If we don’t have a clear domestic policy, we really don’t have a seat at the international table.”
In a sign of small progress, Senator Maria Cantwell (D-WA), Chair of the Commerce Committee, scheduled a hearing on consumer privacy for Wednesday, September 29.