Federal Bill May Soon Make Privacy Regulation Patchwork a Thing of the Past

Lydia Bayley
Associate Editor
Loyola University Chicago School of Law, JD 2022

While the COVID-19 pandemic undeniably pushed many legislative agendas to the backburner, some seem to be heating back up. With the 117th Congress now in session, data privacy is once again moving to the forefront of federal legislative debate. For decades, the United States has been governed by a patchwork of data privacy laws and regulations. But that may soon change. On March 10th Representative Suzan DelBene (D-WA) introduced the Information Transparency and Personal Data Control Act (“ITPDCA”), the latest bill aimed at tackling data privacy regulation on a national scale. And as state laws like the California Consumer Privacy Act and the Virginia Consumer Data Protection Act continue to make headlines, Congress seems to be feeling the pressure to deliver comprehensive data privacy regulation.

Photo by Dan Nelson on Unsplash

The need for comprehensive federal legislation

While federal law currently provides a partial foundation for data privacy regulation, statutes such as the Health Insurance Portability and Accountability Act (“HIPAA”) and the Gramm-Leach Bliley Act only target specific types of personal information, leaving a significant amount of consumer data at risk. And despite calls for comprehensive data privacy regulation on both sides of the aisle, Congress has yet to pass the necessary federal legislation.

In the absence of federal guidance, a number of states have introduced their own comprehensive data privacy laws. And as the number of states implementing their own data privacy regimes continues to grow, so does the burden of ensuring compliance. Despite many similarities, each of these state laws have distinct variations concerning the types of businesses that must comply and what protections are granted to consumers. These discrepancies leave consumers confused about their rights and businesses with the burden of meeting each state’s unique requirements. Comprehensive federal regulation would help address both of these issues by giving consumers a uniform set of rights and streamlining compliance requirements for businesses.

Requirements and enforcement under the ITPDCA

While existing federal laws focus privacy and protection on specific types of data, the ITPDCA will apply to a wide range of personal information including financial, health, genetic, biometric, and geolocation data, as well as information regarding individuals’ sexual orientation, citizenship and immigration status, social security numbers, and religious beliefs. In addition, businesses and websites would be required to provide clear and understandable privacy policies, written in “plain English.”

The ITPDCA would create a unified national privacy standard by preempting conflicting state laws. And while the legislation parallels many aspects of existing state legislation, it includes several key requirements. The bill aims to make privacy the default, requiring companies to provide consumers with an opt-in consent form before collecting sensitive information such as financial, health, and location data. It also gives individuals the ability to opt out of having their personal data collected at any time and requires companies to tell consumers if and why their information is being shared with third parties. However, under the bill’s liability shield provisions, companies will not be held responsible if third-party contractors fail to provide opt-in or opt-out consent. Additionally, companies using over 250,000 individuals’ personal data per year would be required to obtain and publish a privacy audit every two years from a neutral third party.

While the ITPDCA does not provide individuals with a private right of action, it puts enforcement front-and-center. The bill charges the Federal Trade Commission with enforcing the legislation and promulgating additional regulations as it sees fit. State Attorneys General would also be authorized to pursue enforcement when the FTC chooses not to act on a violation. If passed, the law would provide the FTC with $350,000,000 in additional funding and order the agency to hire 500 new full-time employees to facilitate enforcement under the Federal Trade Commission Act’s existing unfair or deceptive acts or practices regime.

A promising step towards federal regulation

The bill is widely considered to be business-friendly and has already received support from industry stakeholders and trade organizations including the National Retail Federation, the Main Street Privacy Coalition, and the U.S. Chamber of Commerce. Additionally, the legislation is in a strong position to gain bipartisan support due to its federal pre-emption provision and lack of a private right of action, making the ITPDCA a strong adversary on the path to federal data privacy regulation.