Three Data Privacy Bills to Watch

Staying on top of privacy legislation requires consistent effort. It’s overwhelming enough to keep track of the bills that do pass, but if you ignore proposed bills you risk being blindsided. Nobody wants to suddenly learn that they have insufficient time to adjust to a new piece of regulation.

That being said, if keeping up with enforceable legislation is daunting, extending your reach to all the bills that are yet to pass seems nearly impossible. Many of these bills never get off the ground and most of those that eventually pass seem far removed from their original form by the time they do.

To help you keep an eye out, we’ve highlighted three bills that have been proposed in Congress: the Information Transparency & Personal Data Control Act (H.R.1816), the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (S.2499), the Consumer Data Privacy and Security Act of 2021 (S.1494). Here’s what you need to know about all three and what shifts they might provoke in the privacy landscape.

Broad Purpose

Information Transparency & Personal Data Control Act (ITPDCA): This bill is largely concerned with the need for the United States to develop a “balanced, high-standard digital privacy framework that complements global standards.” In short, the bill intends to fight anti-consumer practices involving data by creating consumer data rights, giving law enforcement the resources to protect consumer privacy and establishing federal guidance on sensitive data activity.

Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (SAFE Data Act): This is another broad bill aiming to establish a higher level of national data privacy and security by implementing certain consumer data rights and requiring companies to adopt principles of accountability and transparency when handling consumer data.

Consumer Data Privacy and Security Act of 2021 (CDPSA 2021): According to Senator Jerry Moran, the purpose of the bill is to address the fact that “more and more Americans are recognizing the need for a clear federal standard for data privacy that guarantees them the ability to determine how their personal data is used. Americans need to be able to count on strong baseline responsibilities that businesses must uphold when collecting, processing and protecting their personally identifiable information.”

In short, this bill is concerned with establishing consumer rights, prohibiting non-consensual data practices and requiring businesses to dedicate their resources to a robust data security program.

Applicability

ITPDCA:

Certain data activities are exempt, including those done for the purposes of:

• Preventing certain criminal activity such as fraud, theft and financial crimes

• Complying with legal processes or other Federal, State or local laws

• Completing any aspect the transaction the data was collected to complete, including delivering goods or services, processing payments or conducting internal research to improve products

• Maintaining a business relationship with the consumer beyond the transaction including inviting them to participate in loyalty programs (NOTE: the right to opt-out still applies here)

• Identifying errors that hinder the functionality or availability of the entity’s services and information systems

• Monitoring or enforcing agreements between controllers, processors, third parties or individuals

• Protecting an individual’s “vital interests”

• Advancing “substantial public interests” such as archiving, research and public health

• Conducting product recalls

• Servicing warranties

SAFE Data Act:

The act applies to entities that:

• Are subject to the Federal Trade Commission Act (FTCA); or

• Collect, process or transfer covered data and determines the purposes or means of such activity given that they meet one of the following criteria:

  • Made an annual gross of over $50 million over the last three years

  • Process the covered data of at least 1 million individuals annually on average over the last three years

  • Have employed more than 500 individuals at one time in the last three years

  • Derived at least 50 percent of its revenue over the last three years from transferring covered data

Certain data activities are exempt, including those done for the purposes of:

• Initiating and completing a transaction specifically requested by the individual such as billing, shipping and accounting

• Performing internal system maintenance, diagnostics, product management, inventory management or network management

• Protecting against malicious, threatening or illegal activity such as fraud and security threats

• Maintaining product, service or network safety

• Complying with legal obligations or inquiries

• Ensuring customer safety

• Transferring data to service providers

• Conducting product recalls

• Conducting applicable public or peer-reviewed research

CDPSA 2021:

The bill applies to entities that:

• Determine the purpose and means of collecting and processing personal data – either alone or jointly with others – and is either:

  • A person under the FTC’s authority pursuant to section 5(a)(2) of the Federal Trade Commission Act

  • A common carrier subject to the Communications Act of 1934

  • A non-profit organization

Entities may only collect data without the subject’s consent from the following purposes:

• To conduct a transaction initiated by the individual (including providing them a good or service)

• To comply with other laws

• To prevent imminent danger to an individual

• To protect against malicious, threatening or illegal activity such as fraud and security threats

• To conduct certain research, similar to the exemption listed in the aforementioned laws

• To perform internal system maintenance, diagnostics, product management, inventory management or network management

• To use on a “short-term, transient basis” that does not involve transferring the data to a third party or creating a profile of the individual

• To market or advertise a product or service to an individual using data collected directly from the individual in question

Key Concepts

Information Transparency & Personal Data Control Act (ITPDCA)

Consumer Data Rights: If you’re familiar with privacy legislation, you shouldn’t be too surprised by the seven consumer rights established in the ITPDCA. That being said, the rights established here are relatively more vague and afford consumers fewer privileges, with no explicit right to deletion. The bill also does not include a private right to action. Under the law, consumers would have the right to:

• Exercise control over how organizations use their data

• Receive understandable information about the security and privacy practices of organizations that use their data, and expect that companies will only use their data in accordance with these practices

• Have their data handled securely and responsibly

• Access their data in a usable format (data portability)

• Correct inaccurate data about them

• Impose “reasonable limits” on the data companies collect and retain from them

• Opt-in to data use involving sensitive personal information

• Opt-out of data use involving non-sensitive personal information

Notice and Consent: The bill lays out what is essentially a notice and consent process for any data activity – whether that be collection, transmission, sharing, disclosure or sale – involving sensitive personal information. Sensitive personal information is defined to include anything inherently personal, whether it be genetic data, health data, financial information, personal communication data or data regarding someone’s sexual orientation, race or religious beliefs. Upon initiating the activity, organizations must provide consumers a privacy and data use policy for the specific request. Then they must seek “affirmative, express consent” from the consumer in order to proceed with the activity.

The privacy policy must be concise, clear, conspicuous and provided free of charge, using visualizations where appropriate to make information more understandable. The notice must include:

• The entity’s identity and contact information

• The purpose of the data use

• Categories of sensitive personal information used

• Categories of third parties with whom the data is shared

• How consumers can view the data and withdraw consent

• Protections in place to prevent unauthorized access or acquisition of sensitive personal information

Upon obtaining consent, organizations must provide additional notice if they share the data with a third-party to be used for purposes other than those outlined in the original notice. However, controllers and processors are not “liable” for the failure of a third-party to adhere to the limits of opt-in consent.

Consumers do not need to opt-in to data activity involving non-sensitive personal information, but they do have the right to opt-out at any point. Upon receiving an opt-out request, organizations must honor it to the extent they reasonably can, informing any relevant processors or third-parties of the request. These recipients of the data are obliged to honor the request but – once again – the controller is not responsible for ensuring they do so.

Controller-Processor Relationships: There must be a binding contract in place between controllers and processors ensuring that processors only process data on documented instructions from the controller.

Processors may only share the data with a sub-processor for the purposes of providing services. Before doing so, they must give the controller the opportunity to object.

Audits: At least once every two years or after a substantial change to their data policy, any entity involved in any activity involving sensitive personal data must obtain a privacy audit from a “qualified, objective, independent” third party. The purpose of the audit is to ensure that any controls the entity has put in place to protect data are effective and appropriate to the nature of the sensitive data and the entity’s size and complexity. Afterwards, the entity must make the result of the audit publicly available.

SAFE Data Act

Consumer Data Rights: Under the act, consumers would have the right to:

• Access any of their data that has been processed by the entity in a “portable, structured and machine readable format” (data portability)

• Correct inaccuracies or incomplete information in their data

• Delete or de identify their data

• Know the categories of third-parties or service providers to whom the data has been transferred, as well as the purposes of the transfer

• Opt-out of any collection, transferral or processing of their data before it occurs

• Not be denied products or services for exercising their data rights

• Not have any of their sensitive data processed or transferred without affirmative express consent

• Withdraw consent after it has been granted

If a consumer makes a request to exercise any of these rights, entities must notify any third-parties with whom they shared the data of the request. Entities are obliged to honor at least two verified requests a year from an individual as long as the request is possible to fulfill and fulfilling the request doesn’t break the law or involve any unnecessary data retention, re-identification, release of trade secrets or “disproportionate effort”.

Privacy Policy: The act requires entities to publish a clear and conspicuous privacy policy that is made publicly available and disclosed to consumers prior to or at the point of collection. The privacy policy must include:

• The entity’s identity and contact information, as well as the identity of any affiliated to whom the data may be transferred

• The categories of data collected and the purposes of collection for each category

• Whether the entity transfers the data including the categories of recipients and the purposes of the transfers

• How individuals can exercise their data rights

• A general description of:

  • The entity’s data retention practices and the purposes of retention

  • The entity’s data security practices

If the entity makes any changes to its privacy policy, it must inform the consumers of the change before continuing to use data under the new policy.

Data Minimization: Entities are not allowed to use data beyond what is reasonably necessary to provide or improve a product, service, or communication about a product or service. Similarly, they may only use data to the extent necessary to process or transfer data in a manner that is described in the privacy policy.

Service Providers and Third Parties: Although they are not technically “covered entities”, service providers and third parties can only process data on behalf of a covered entity that transferred the data to them. This means they can not use data for any purpose beyond what was authorized by the covered entity and must delete, de-identify or correct the data upon instruction.

Privacy Impact Assessments: For data activities that involve a “heightened risk of harm to individuals”, entities must conduct an impact assessment weighing the benefits of the activity against its potential consequences.

“Large data holders” are required to conduct ongoing impact assessments once every two years to assess:

• Consistency of their data practices and purposes of collection with their privacy policy

• The accessibility of the privacy settings included in their products and services

• The extent to which their privacy practices meet user expectations and give users control over their data

• Any safeguards that can be used to enhance user privacy

Deceptive Practices: The act specifically prohibits deceptively designing the user experience as to impair “user autonomy, decision-making, or choice.”

Any companies that use data to conduct behavioral or psychological research based on data they collect must get express consent before doing so.

SAFE specifically notes that companies may not manipulate their platform to cultivate “compulsive usage” by children under the age of 13, citing non-consensual auto-play videos as an example.

Filter Bubble Transparency: The act places limitations on the use of opaque algorithms, allowing consumers to opt-out of the “filter bubble”— algorithms which personalize a user experience to reinforce their existing beliefs.

In order for an online platform to use such algorithms to collect and process data, collectors need to provide a notice the first time an opaque algorithm is used. Additionally, subjects must be able to remove the filter bubble by accessing the platform through an input-transparent algorithm. From then on, users must be able to easily switch between the two versions.

Corporate Accountability: Corporate entities must designate at least one data privacy officer and one data security officer to be responsible for compliance with the privacy and security regulations in the act respectively. Companies must maintain controls to ensure that senior employees are involved in making decisions regarding compliance to this act.

Consumer Data Privacy and Security Act of 2021 (CDPSA 2021)

Consent: In general, entities may only collect or process an individual’s personal data if they have received their consent. The same goes for third parties using data that has been transferred to them by an entity, although the onus is on the original entity to inform the consumer of the transfer and seek their consent.

Both express affirmative and implicit consent fulfill this requirement. The latter covers situations where data subjects fail to decline a data use request from an entity after being provided with a notice and given reasonable time to respond. This notice must include:

• The types of personal data used

• The purposes of the data usage

• Information on how the individual can access the entity’s privacy policy or exercise their data rights

• Whether the data activity in question involves sensitive personal data or data transfer to third-parties

Entities must also give individuals a clear and accessible means of withdrawing consent at any time or place. A withdrawal of consent remains in place until it is revoked by the individual.

Entities must also maintain a readily accessible privacy policy that is essentially the same as required by the SAFE Data Act (see above). However, this policy creates the additional obligations for entities to include a clear description of how the entity informs consumers or changes to its policy and steps the individual can take to minimize the collection or processing of their personal data.

When making changes to their privacy policy, entities must adequately inform consumers of the changes and can not use sensitive personal data in ways beyond what was detailed in the original policy without express affirmative consent from the subject. Entities must consider the potential risk of harm to the individual before making a change.

Limiting Data Retention: When possible, entities must either delete or de-identify sensitive personal data once it has served its intended purpose.

Consumer Data Rights: Under the act, consumers would have the right to:

• Know whether an entity is processing their data and what categories of data have been disclosed by the entity

• Receive a copy of any data processed from them in a commonly-used, machine-readable format that individuals can export and transmit for their own purposes (data portability)

• Verify the accuracy of their data and correct inaccurate data, as long as the data is not “publicly available”

• Delete or de identify their data

Organizations are obliged to comply with at least two verified requests a year without charging the consumer. Organizations may refuse to comply or charge a fee when individuals submit “manifestly unfounded and excessive requests.”

Corporate Data Security Programs: Entities must “develop, document, implement, and maintain a comprehensive data security program that contains reasonable administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of personal data from unauthorized access, use, destruction, acquisition, modification, or disclosure.”

Appropriate safeguards can be determined considering the entity’s size and resources, the nature and scope of its data activities, the feasibility of the safeguards, the sensitivity of the data involved and the potential for unauthorized use of the data.

At a minimum, entities must:

• Designate at least one employee to oversee the data security program

• Identify risks to data security and assess safeguards to combat them including employee training, information systems, detection, prevention or response.

• Implement safeguards and consistently assess their effectiveness in combating security risks

• Implement procedures to ensure that third parties and service providers to whom the data is transferred are maintaining an appropriate level of data security

• Adjust safeguards in response to changes in technology, threats or business operations

Special Accountability Requirements for Larger Entities: The bill includes a section outlining special accountability obligations for covered entities that annually process or collect the personal data of over 20 million individuals or the sensitive personal data of over 1 million individuals.

Such entities must designate one employee or contractor to be their “privacy officer”. This employee would be responsible for overseeing the entity’s data privacy policies, including:

• Informing and advising the entity regarding its obligations under this act

• Monitoring the entity’s compliance efforts

• Overseeing the entity’s impact assessments and privacy programs

• Acting as a liaison between the entity and any Federal, State or local enforcement authorities

In addition, such entities must maintain a comprehensive privacy program similar to that required by the SAFE Data Act, implementing safeguards with consideration of the scope of their databases, the potential risk of their data activity and the sensitivity of the data they use.

Enforcement and Penalties

ITPDCA: This law would be enforced by the Federal Trade Commission (FTC), which must give violating entities 30 days to cure non-willful violations of the act. If the violation continues beyond this period, the entity will be subject to the penalties provided in the Federal Trade Commission Act (FTCA).

State attorney generals also have enforcement authority, although they must provide prior written notice to the FTC before taking any civil action. In these cases, the FTC has the power to intervene and file petitions to appeal the decision.

The Federal Trade Commission is the government agency most closely associated with this bill. Not only does the FTC have enforcement authority; all penalties align with those already enforced by the FTCA, posing this bill as something of an extension of that act. The bill calls for $350 million to be given to the FTC to fund the enforcement of this act, which would include hiring 500 new employees to focus on privacy and data security.

The act will take effect 180 days after the date of its enactment.

SAFE Data Act: Upon becoming aware of a violation, the FTC must transmit information regarding the violation to the Federal or State agency with the authority to initiate proceedings (under the FTCA).

However, the FTC’s power also brings responsibility. Within a year of the date of enactment, the FTC is obligated to issue guidelines and best practices for data minimization, preventing unauthorized data access, addressing vulnerabilities in data practices, managing access rights and detecting, responding to or recovering from cybersecurity incidents. Within two years, they must create guidelines for selecting service providers and making the decision to share data with a third party.

The act will take effect 18 months after the date of its enactment.

CDPSA 2021: This act will be enforced by the FTC and violations of the act will be treated as “unfair and deceptive practices” under the FTCA. Civil penalties will take into account the facts of the violation – the harm caused, the violating entities’ intent, the size of the violating entity – but should not exceed the number of affected individuals multiplied by $42,350. For example, if two individuals were harmed, the penalty could not exceed $84,700 ($42,350 multiplied by 2).

If a state attorney general finds a violation to pose a threat to the interests of the state, it may take civil action after notifying the FTC of its intent to do so.

The act will take effect one year after the date of its enactment.