Privacy Bill Essentials: A Federal Information Transparency and Personal Data Control Act

March 16, 2021
Hinshaw Privacy & Cyber Bytes

On March 10, 2021, Representative Suzan DelBene (D-WA) re-introduced the Information Transparency and Personal Data Control Act (the Bill) in an effort to provide a uniform national consumer data privacy standard in place of the patchwork of conflicting state laws already in place and soon to become law.

The Bill intends to protect the sensitive personal information of individuals by requiring companies to obtain opt-in consent from persons prior to collecting, using, sharing, selling, or disclosing their sensitive personal information. While previous versions of the Bill stalled, there is a sense of optimism that this version may become law in the current Congress and Administration. The Bill has been endorsed by a number of business trade groups, including the U.S. Chamber of Commerce.

To whom would it apply?

The Bill applies to "controllers, processors, and third parties" who collect, transmit, store, process, sell, or share sensitive personal information from persons operating in, or located in, the United States at the time of the collection, transmission, storage, processing, sale, or sharing.

What types of information would it cover?

The sensitive personal information covered in the Bill includes:

Sensitive information does not include de-identified information, employment information, certain business communications that contain personal information, and publicly available information.

What rights would it create?

The Bill would give persons operating or located in the United States the right to:

The opt-in consent would not be required when the processing of sensitive personal information is consistent with the controller's relationship with the user. For example, to carry out the term of the contract or service, to accept and process payments, and to complete transactions, among other uses.

What obligations would it impose?

The Bill provides for a Small Business Audit Exemption, meaning that entities who collect, store, process, sell, share, or use sensitive personal information relating to 250,000 individuals or less per year are not required to submit a privacy audit.

The Bill's requirements do not apply when the personal information is used for certain purposes such as preventing and detecting fraud or crime, responding to valid legal processes, or using data in a way that is authorized by the Fair Credit Reporting Act, among other purposes.

How would it be enforced?

State attorney generals and the FTC would have powers to enforce the law through the privacy audits. Further, the FTC will have rule-making authority to issue additional regulations. Unlike previous versions of the Bill, this one does not include a private right of action that would allow consumers to file lawsuits against companies over privacy violations. Instead, this version of the Bill permits a state attorney general to bring a cause of action on behalf of consumers. While the Bill is silent as to fines or penalties for violating the law, there remains the possibility that the FTC could establish fines or penalties pursuant to the rule-making authority granted to it.

When would it go into effect?

Should the Bill be signed into law, it would go into effect 180 days after it is enacted.

Where does it stand? 

The Bill was introduced on March 10, 2021 in the House of Representatives. To date, it has 15 Democratic cosponsors. In the past, Democrats and Republicans have disagreed on certain provisions in similar bills that had been introduced in Congress such as provisions on preemption, states' rights, and a private cause of action. Given that this version of the Bill is seen as more business-friendly than previous versions, there is a chance that some Republicans will cosponsor the Bill.