Information Transparency & Personal Data Control Act
The purpose of this federal legislation is to provide privacy rights to all American residents and provide uniform national standards for businesses. This bill was introduced by Democratic Representative from Washington’s first district, Suzan DelBene on April 1st, 2021. Since its introduction, it has been referred to the House Committee on Energy and Commerce and within that committee, it was referred to the subcommittee on Consumer Protection and Commerce. To become law, this bill would need to be passed by the House of Representatives, and then passed by the Senate. After passing both Houses of Congress, the President would need to sign it into law, or if he vetoed it, Congress could overcome his veto by a 2/3 vote in support of the bill from each House of Congress.
The Proposed Effects of the ITPDCA
The first thing to observe about the Information Transparency and Personal Data Control Act (ITPDCA) is that it only applies to sensitive personal information. Sensitive personal information means information relating to an identified or identifiable individual, including the following: financial account information, health information, genetic data, information pertaining to children under 13 years of age, social security numbers, unique government-issued identifiers, authentication credentials, such as a username and password, precise geolocation information, content of a wire communication, oral communication, or electronic communication with respect to any entity that is not the intended recipient of the communication, call detail records, web browsing history, application usage history, and the functional equivalent of either, biometric information, sexual orientation, and religious beliefs.
The next important thing to notice about the ITPDCA is that it neither creates any rights nor responsibilities on any party other than the Federal Trade Commission (FTC). Once it goes into effect, it has no direct effect on controllers, processors, or “users”. It merely obligates the FTC to take the future step of creating rights and responsibilities. The ITPDCA is an attempt to delegate the responsibility of regulating national data privacy rights and responsibilities to the FTC.
A very contentious issue in all data privacy legislation is the enforcement mechanisms. Consumer interest groups always want a private right of action and business interest groups always wish to avoid a private right of action. This legislation would NOT include a private right of action. It would only be enforceable by state officers and the FTC.
A very important aspect of this legislation is that it is pre-emptive. It is pre-emptive for any controller subject to this act (or a regulation promulgated pursuant to this act), against any state or local law that is focused on the reduction of privacy risk through the regulation of the collection of sensitive personal information and the collection, storage, processing, sale, sharing with third parties, or other use of such information. Putting that into perspective, this law would pre-empt the Illinois Biometric Information Privacy Act (BIPA), CCPA, VCDPA, and possibly others.
Finally, and most importantly, we should review the substance of what the Act would do. As a reminder, this Act wouldn’t directly establish any rights or responsibilities, it would bestow the responsibility of promulgating regulations upon the FTC. (This Act would obligate the FTC to promulgate regulations that) [hereinafter, “this Act would”] require affirmative, express, and opt-in consent to any kind of collection, storage, processing, sale, sharing, or other use of sensitive personal information. Prior to gaining any value from, or preserving any sensitive personal information about a user, a controller would have to be instructed by that individual that they want their sensitive personal information to be used in that way. Additionally, this Act would require controllers to allow users to opt-out at any time.
This Act would require controllers to undergo privacy audits annually from qualified, independent third-party auditors and make public whether or not they were found to be compliant. The audit would set forth the privacy, security, and data use controls the controller uses to comply with this Act. Then the audit would describe whether or not the used methods are appropriate for the controller, based on its size and complexity, the nature of the activities of the controller, and the nature of the sensitive personal information at issue. The audit would certify whether in practice the controls utilized effectuated the desired data privacy goals. The findings of these audits ultimately would need to be provided to the FTC or state officer responsible for enforcement.
Let’s take a look at how the substance of this Act compares to the CCPA and the VCDPA.
|Table 1. A comparison of the rights granted by CCPA, CPRA, VCDPA, and ITPDCA|
|Law||CCPA||CCPA, as amended by CPRA||VCDPA||ITPDCA|
|Private Right of Action||For Data Breaches||For Data Breaches||NO||NO|
|Against Automated Decision-Making||NO||YES||YES||NO|
As you can see from Table 1, ITPDCA doesn’t provide any Data Subject Request (DSR) rights. It also doesn’t provide a private right of action or protect users against automated decision-making. However, it does protect sensitive personal information, limiting controllers from interacting with sensitive personal information without affirmative, express, opt-in consent regardless of the user’s age.
|Table 2. A comparison of the obligations imposed by CCPA, CPRA, VCDPA, and ITPDCA|
|Law||CCPA||CCPA, as amended by CPRA||VCDPA||ITPDCA|
|Prohibition on Discrimination||NO||YES||YES||NO|
Controllers have fewer obligations under ITPDCA, see Table 2. They do have to provide notice and transparency regarding their privacy policies, and through audits require controllers to perform risk assessments, but there is neither a prohibition on discriminating against users who do not opt-in, nor is there a purpose or processing limitation to the controller’s interaction with the user’s sensitive personal information. This is in line with the opt-in approach, they can interact with user information however the user expressly permits them to (and no further).
As discussed, ITPDCA would pre-empt both the CCPA and the VCDPA. This means that the CCPA and VCDPA would no longer be in effect and nationally ITPDCA would be the law governing data privacy rights. Due to differences between it and the state laws, this means that privacy rights would grow in some ways and would shrink in other ways. It is an example of Federalism at work. California has been able to experiment with its own data privacy laws. Californians and outsiders alike have been able to watch it play out and see what has worked well and what hasn’t worked well. The Federal Government can – through passing ITPDCA (or a similarly focused law) – supersede the CCPA and make a national data privacy law, but it can also stay on the sidelines and allow for more experiments to pop-up in Virginia, possibly Connecticut, Colorado, Pennsylvania, and elsewhere.
Advantages of a National Data Privacy Law
There is a benefit to having national uniformity in data privacy laws. It makes it easier for businesses to do business nationally without incurring additional costs of complying with various state data privacy laws. It lowers the costs of doing business in the United States. Conversely, the current hodge-podge of data privacy laws increases the cost of compliance for organizations. Thankfully, there is already a way to keep the costs of compliance low in the current data privacy compliance market: Clarip. Clarip’s advanced hybrid-AI software handles the difficult parts of data privacy compliance. From data-mapping with our Data Risk Intelligence Scan to our end-to-end DSR fulfillment and everything between, Clarip makes data privacy compliance cost-effective and easy, no matter how many states get in the game.
Another potential benefit of a national data privacy law is the question of adequacy. With multiple state laws, but no federal data privacy law, the EU can’t make a blanket statement that data transfers to the US are okay. Data protection laws in California and/or Virginia may be individually adequate, but without a national adequacy determination, American businesses likely have to resort to Standard Contractual Clauses (SCCs) to utilize data from European data subjects.
Disadvantages of a National Data Privacy Law
There are also drawbacks to having a uniform national data privacy law. The national standard may not be as niche as the state law. The CCPA was amended by the CPRA, which was a ballot initiative. It was the will of the people of California. Californians may have a different overall sentiment towards data privacy than Alabamans. This leads to national data privacy laws being a looser fit for most states – less-fitted to their actual needs.
Another drawback of having a uniform national data privacy law is that there will be less room for experimentation with fixes as times change. State governments will generally be able to react more quickly to changes in technology than the national government. State governments will also be able to act more boldly. Inevitably this will lead to better solutions to the challenges ahead – challenges that would take longer to discover and correct at the national level.
Only time will tell what happens with the ITPDCA and with data privacy laws throughout the US. One thing you can definitely count on is Clarip. We will be ready and willing to help you comply with any data privacy law that you need help with. Reach out to us for a free demo today! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.