Friday, April 02, 2021

Congresswoman DelBene Reintroduces Federal Data Privacy Bill

Representative Suzan DelBene (D WA) has reintroduced the Information Transparency and Personal Data Control Act, federal privacy legislation she originally proposed, in a slightly modified form, in 2019.

The Information Transparency and Personal Data Control Act (ITPDCA) appears to be the first comprehensive data privacy bill introduced during the current legislative session.

Regarding the primary two issues upon which (1) lawmakers so far have been unable to reach agreement, and (2) I have written extensively for the Free State Foundation, it embraces what I consider to be the correct positions: it preempts state laws (with the exception of those addressing data-breach notifications, biometric information, wiretapping, and public records) and does not allow for a private right of action.

Instead, enforcement would be the responsibility of the FTC and, in the event that the FTC does not act, state attorneys general. However, state attorneys general would be required to provide covered businesses with thirty days to cure before commencing an action.

Unlike the California Consumer Privacy Act or the Virginia Consumer Data Protection Act, the ITPDCA would not grant consumers the right to access, correct, or delete personal information. However, It would require covered businesses to:

  • Make available "plain language" privacy policies;
  • Allow consumers to opt out at any time from the "collection, transmission, storage, processing, selling, sharing or other use of non-sensitive personal information"; and
  • Obtain opt-in consent for the use of sensitive personal information to the extent that that use is not described in the privacy policy of the covered business.

The ITPDCA also would empower the FTC to impose fines for first-time offenses, increase its ability to adopt rules, expand its authority to cover common carriers, increase its funding by $350 million, and allow it to hire 500 new full-time employees.

In "Inconsistent State Data Privacy Laws Increase Confusion and Costs," a March 2021 Perspectives from FSF Scholars, I sounded the alarm regarding the compliance burdens and consumer uncertainty that will result should Congress fail to establish a federal data privacy regime that preempts the growing number of state laws.

To date we have witnessed two states fill the void that exists at the national level: California (with both the CCPA, currently in effect, and the California Privacy Rights Act, approved by voters in November) and Virginia. Other states where legislation has been introduced include Florida, Minnesota, New York, Oklahoma, Washington State, and, most recently, Colorado.