On March 10th, Congresswoman Suzan DelBene (D-WA) introduced the Information Transparency and Personal Data Control Act (the “Act”). The Act is intended to create a federal privacy law: one national standard for consumer data privacy regulation, that would supersede a patchwork of (potentially) 50 state privacy laws. As we have previously blogged, Virginia recently passed its own data privacy law; New York has introduced a data privacy law bill; and readers will be very familiar with the California Consumer Privacy Act (“CCPA”). You can read the text of the Act here.
What would the Information Transparency and Personal Data Control Act do?
One of the stated objectives of the Act is to create a federal standard for consumer data privacy. Presently, companies must navigate a web of state privacy laws and regulations to ensure compliance in all jurisdictions of the Union. Compliance requirements differ from state to state and can create real cost concerns for small and large companies alike. For instance, the CCPA requires particular consumer disclosures concerning the sale and transfer of personal data. If New York passes its own version of the CCPA, it could easily require disclosure language that is different enough from that of California to require separate notice. The same could be true for any other state with its own privacy regulations, to the point where disclosures and data privacy policies may become unwieldy. The Act preempts all state privacy laws to prevent this exact problem.
The core of the Act revolves around consent, disclosure, enforcement, and privacy audits. Consent remains the pivotal aspect of consumer data privacy. The Act orients all data privacy action toward requiring an “opt-in” to authorize any collection and sharing of certain types of sensitive personal data (e.g., Social Security numbers and medical data). Each transaction would require affirmative consent (“opt-in”) before a company may sell or share this sensitive personal data. The Act also incorporates disclosure requirements from state legislation (such as the CCPA) into this federal privacy law, including the disclosure of what personal data a company intends to sell and why. The Act requires that privacy policies be clear and written in “plain English.” Enforcement responsibilities would be shared between the Federal Trade Commission (“FTC”) and state attorneys general. The FTC would be tasked with promulgating regulations related to enforcing the Act. Finally, the Act would require companies to undergo a data privacy audit every two years, to be conducted by neutral third parties.
A federal data privacy law is ultimately a good thing.
What are the practical implications of a federal privacy law?
Is a federal privacy law good or bad for business? No law is perfect, but the goals behind the Act seem to make it a net positive for businesses. Rep. DelBene is a former Microsoft executive, bestowing her with unique credibility for the task of crafting a federal privacy law. The biggest and most important benefit to the Act is the preemption of state consumer privacy laws, allowing companies to follow one standard for data privacy regulation. This one standard has the potential to save companies significant time and money in reduced compliance obligations. The Act may carry some new costs in the form of data privacy audits, but those audits, coupled with legal advice from experienced privacy attorneys, could do more good than harm in finding gaps, however small, in a company’s consumer data privacy policies and procedures.
Companies do not need reminding that national consumer protection laws can result in headaches in the form of litigation and/or regulatory investigations. Look no further than the Telephone Consumer Protection Act (“TCPA”). The TCPA cannot keep pace with changing technology and has created an avalanche of litigation in recent years. Unlike the TCPA and some other consumer protection statutes, the Act would only permit enforcement by the FTC and state attorneys general. Most importantly, the Act, as currently written, does not allow for a private right of action. This could mean many fewer costly litigation cases than those that are brought under other consumer protection statutes. With its preemption of all state consumer data privacy laws, the Act eliminates the right to a private cause of action under any state law other than for data breaches and unauthorized biometric data collection and use violations. Between less litigation and decreased compliance costs, this federal data privacy law would seem to be an overall win for business.
Avoid Data Privacy Violations with Experienced Attorneys
Today, the various state consumer data privacy laws require a deft hand to maintain compliance. Even if the Act becomes law, companies can expect some continued uncertainty as the FTC passes implementing regulations and state data privacy laws get phased out. With so many variables, companies must rely on sound privacy practices and procedures to maintain compliance with evolving state and federal regulations. The experienced attorneys at Klein Moynihan Turco can provide the kind of advice that should help keep your business out of costly and time-consuming consumer privacy investigations and litigation. If you need help evaluating or updating your privacy practices and procedures, please email us at firstname.lastname@example.org or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.