New federal data privacy standard proposed

In the United States today there is no comprehensive federal law governing consumer data privacy. Some members of Congress want to change that. Last week, Rep. Suzan Delbene, D-Wash., introduced legislation to create a federal consumer data privacy standard, which would supersede the current patchwork of state data privacy laws and give the Federal Trade Commission rulemaking and enforcement powers.

Thirty-four other Democrats in the House signed on as co-sponsors of the bill. No similar legislation has yet to be introduced in the Senate.

The Information Transparency and Personal Data Control Act, introduced in the House on March 10, 2021, aims to establish protections for all types of personal information businesses collect on consumers, including financial, health, genetic, biometric, geolocation, sexual orientation, citizen and immigration status, Social Security Numbers, and religious beliefs. It also establishes protections for children under the age of 13.

"Data privacy is a 21st century issue of civil rights, civil liberties and human rights, and the U.S. has no policy to protect our most sensitive personal information from abuse," Rep. Delbene said in a statement. "With states understandably advancing their own legislation in the absence of federal policy, Congress needs to prioritize creating a strong national standard to protect all Americans."

Absent federal oversight of data privacy, several states have enacted their own comprehensive data privacy laws in recent years, several of which mirror closely the General Data Protection Regulation established by the European Union in 2018.

The California Consumer Privacy Act, which took effect in 2020, imposes a comprehensive set of data privacy protections that companies doing business with or targeting California residents must adhere to. Violators face stiff civil penalties and potential damage awards to consumers whose personal records are breached and misused. A similar bill was signed into law this year in Virginia, and others are on the legislative dockets in several states.

Some particulars

Here are some key provisions of the Information Transparency and Personal Data Control Act:

• Privacy policies provided by companies to their customers must be written in "plain English."
• Companies would be required to disclose if and with whom a consumer's private information might be shared and why.
• Consumers would have to opt in before a company could share their private information with others.
• Companies would have to undergo privacy audits by a neutral third party every two years.
• State laws that conflict with the proposed new federal statute would be preempted.
• The FTC would be given rulemaking authority and enforcement powers over companies that fail to comply with the proposed new federal law. State attorneys general would be given authority to pursue violations when the FTC chooses not to take action against violators.

Tech and businesses backing, but is it enough?

The proposed legislation already has gained support from several business and technology groups. "The principles embodied by this legislation are critical to ensuring enactment of a balanced federal privacy law that benefits consumers and businesses alike," said David French, senior vice president at the National Retail Federation.

"This bill shows that it is possible to draft a data protection law that protects consumers without imposing unnecessary costs on businesses," said David Castro, vice president at the Information Technology and Innovation Foundation. "We encourage Congress to use this as a roadmap for how it should move forward in the digital economy to provide certainty to consumers and businesses alike."

Tom Quaadman, executive vice president of the U.S. Chamber of Commerce Technology Engagement Center, offered a similar assessment. He characterized the legislation as "an important first step in bringing consumers, the private sector and policymakers together to protect sensitive information from bad actors."

But Ross Federgreen, president of CSR Privacy Solutions, said he wasn't impressed by the legislation. "It doesn't go far enough," he said. Many of the state laws this bill would supersede offer stronger consumer data privacy protections, and lawmakers from those states aren't likely to vote for a federal statute that overrides those laws, he suggested. And he noted that no Republicans have signed on as co-sponsors of the bill.

Federgreen said the proposed legislation also contains "carve outs" that would exempt large companies from many of the more onerous provisions. "I think the bill is dead in the water," Federgreen said of the legislation.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.