For years, we have seen on-again and off-again efforts in the U.S. to introduce a national data privacy law.
With no current national law, states are forced to create their own privacy policies, which can be confusing and complicated for organizations operating in multiple states.
Thankfully, it appears we have taken one step closer to having a national data privacy law.
Congresswoman Suzan DelBene of Washington state has recently introduced the Information Transparency and Personal Data Control Act, which would create a national data privacy standard and bring U.S. laws into the 21st Century.
What's included in the proposed federal privacy law?
The new bill aims to protect numerous categories of personal information. This includes financial data, health, genetic, biometric, geolocation, sexual orientation, citizenship, immigration status, Social Security numbers, and religious beliefs. It also provides safeguards for information about children under age 13.
Congresswomen DelBene had this to say about the new bill:
"Data privacy is a 21st Century issue of civil rights, civil liberties, and human rights and the U.S. has no policy to protect our most sensitive personal information from abuse. With states understandably advancing their own legislation in the absence of federal policy, Congress needs to prioritize creating a strong national standard to protect all Americans. This bill will create those critical protections. This is an international issue as much as it is a domestic concern. If we do not have a clear domestic policy, we will not be able to shape standards abroad, and risk letting others, like the European Union, drive global policy."
Many of the provisions in this bill come from current state privacy laws.
DelBene says there are some key elements included in the Information Transparency and Personal Data Control Act:
- Plain English: Requires companies to provide their privacy policies in "plain English."
- Opt-in: Allows users to "opt-in" before companies can use their most sensitive private information in ways they might not expect.
- Disclosure: Increases transparency by requiring companies to disclose if and with whom their personal information will be shared and the purpose of sharing the information.
- Preemption: Creates a unified national standard and avoids a patchwork of different privacy standards by preempting conflicting state laws.
- Enforcement: Gives the Federal Trade Commission strong rulemaking authority to keep up with evolving digital trends and the ability to fine bad actors on the first offense. Empowers state attorneys general to also pursue violations if the FTC chooses not to act.
- Audits: Establishes strong "privacy hygiene" by requiring companies to submit privacy audits every two years from a neutral third party.
Industry expert's thoughts on national privacy law
According to a statement from DelBene, 70% of Americans believe their data is less secure now than it was five years ago, and 45% say they had their personal information compromised in a data breach with limited to no accountability for those responsible.
Daniel Castro, Vice President of Information Technology and Innovation Foundation, also thinks its time for a national privacy law:
"This bill shows that it is possible to craft a data protection law that protects consumers without imposing unnecessary costs on businesses. By significantly strengthening the FTC's enforcement capabilities, establishing uniform national rules for the digital economy, and ensuring businesses focus on protecting consumers' most sensitive information, this legislation would boost consumer protection without sacrificing innovation. We encourage Congress to use this as a roadmap for how it should move forward in the digital economy to provide certainty to consumers and business alike."
Tom Quaadman, Executive Vice President at the U.S. Chamber Technology Engagement Center, shared his thoughts:
"It's time for Congress to pass a national privacy law that gives every American the right to control their privacy, no matter where they live, with a clear set of rules for all businesses, no matter where they operate. The Information Transparency and Personal Data Control Act is a promising first step in bringing consumers, the private sector, and policymakers together to protect sensitive information from bad actors."
Is a U.S. national privacy law the right approach?
The way a bill enters Congress versus the finished product often looks a lot different.
Jordan Fischer, the Global Data Privacy Practice Group Leader at Beckage Law, says this is why we should be cautious about a national privacy law:
"The problem is, what is that law going to look like? Because right now, a lot of the states have heightened protections than we're seeing nationally. From a societal standpoint, do we want to give up some of those protections in order to have that cohesive national view? And do we feel like that national view is going to be sufficient to protect us?
So it's kind of hard to say, sitting here, that it would be better, however, I do think that it would be more efficient. I think it'd be easier on companies, I think it'd be easier on individuals, because understanding what the standard is, both from a company operational side, and from a consumer side, frankly, would be easier, right?"
For more information on the Information Transparency and Personal Data Control Act, read Congresswomen DelBene's statement.