The United States has seen a recent wave of the introduction of privacy legislation. The state of Virginia recently enacted the Virginia Consumer Data Protection Act on March 2, 2021, which draws its references from California’s California Consumer Privacy Act (“CCPA”) and the California Privacy Rights and Enforcement Act. However, while efforts at the state level were prevalent in protecting consumer privacy, federal level legislation was yet pending, the need for which has been fulfilled by the introduction of the Information Transparency and Personal Data Control Act (“ITPDCA”). The ITPDCA was introduced in the 117th session of Congress by Rep. Suzan DelBene on March 10, 2021. The ITPDCA is defined as a bill to require the Federal Trade Commission (“FTC”) to promulgate regulations related to sensitive personal information. Under section 7(9) of the ITPDCA, sensitive personal information shall include data such as (a) financial account numbers; (b) health information; (c) genetic data; (d) information pertaining to children less than 13 (thirteen) years of age; (e) government-issued identifiers; (f) biometric information; (g) religious beliefs etc. However, de-identified information, employee data or any publicly available information shall not be a part of sensitive personal information.
The ITPDCA also introduces the concept of opt-in consent and opt-out consent mechanisms for processing of sensitive personal information and where controllers have shared any data with third parties, they shall be responsible for informing such processors or third parties about the limits of consent and purposes of the processing. However, controllers would not be held liable for the failure of such third parties to adhere to those limits. Further, the ITPDCA also requires controllers and processors to conduct a privacy audit to be carried out by an independent third party, once every 2 (two) years and companies that are not processing sensitive personal information shall be exempt from such an audit requirement.
The ITPDCA marks one of the first comprehensive federal privacy legislation in the United States with significant powers being granted to the FTC. In order to increase the resources of the FTC, the ITPDCA provides for the recruitment of 500 (five-hundred) new FTC employees, out of which 50 (fifty) are defined to have technology expertise, as per section 6(b). For the enforcement of issues relating to privacy and data security, the ITPDCA also provides for an additional USD 350 million in funding for the FTC. After being notified of alleged violations, the controllers are provided with 30 (thirty) days to cure non-willful violations before the FTC or any state authority commences an enforcement action. Further, the ITPDCA provides for a plain language requirement under section 3(2), where the privacy and data use policies shall be consistent with the guidelines issued by the FTC and also have clear and intelligible language.
What is also interesting to note is that the enforcement under the ITPDCA is limited to state authorities and the FTC, and does not contain a private right of action. The ITPDCA will also preempt any state “law, regulation, rule, requirement, or standard related to the data privacy or associated activities of covered entities”, with the exception of those state laws that involve data breach notifications, and respective state’s biometric and wiretapping laws.
BlockSuits Comments
Interestingly, the ITPDCA does not contain any right to forget principles that are enshrined in the European General Data Protection Regulation (GDPR) and the CCPA. By providing an exemption to companies from an audit requirement if they process less than 250,000 (two-hundred and fifty thousand) users, one may infer that the bill is aimed at big technology firms processing large amounts of sensitive personal information. The increased FTC enforcement and preemption requirement provide for a move towards federal data privacy enforcement, making the bill one of the first comprehensively introduced data privacy legislations in the United States which is drafted from a consumer perspective. The bill has already garnered support from tech policy think tanks and the software alliances in the United States and is expected to be passed this year, however, this may be challenging as more states in the United States introduce their respective privacy legislation.
Authored by Shivani Agarwal, Founder and Samaksh Khanna, Co-founder.
コメント