Draft Federal Privacy Bill Introduced in Congress

Whether the US will pass federal privacy legislation has been a question for many years, but one that has taken on new significance since California passed a sweeping state privacy law in 2018.  Other states are following California's lead: Nevada has a limited privacy bill, and Virginia is the first of possibly several states to pass a privacy law this year.  

The Information Transparency and Data Control Act has been introduced in prior sessions of Congress, but not made much progress.  The bill would specifically pre-empt conflicting state privacy laws, thereby creating a single standard that in theory would be easier for business compliance purposes.  It would establish standards for what information is considered "private" and as to which companies must seek permission for any use.  Finally, the bill would require plain English, transparent privacy policies to inform consumers of what companies collect and how they use it (including with whom they share it).  

On the enforcement side, it would empower the Federal Trade Commission to enforce the law and to make implementing rules relating to privacy matters -- the first time any federal agency would have Congressionally-delegated power over privacy.  And it would require that large companies covered by the law submit to an outside privacy audit every two years (small companies would be exempt from this requirement).

Unlike the emerging state bills, the ITDCA would not establish a "consumer bill of rights" that allows them to access, correct, or delete information collected about them.  In this way, it is also narrower than the European rules that kicked off the modern privacy era in 2016.  

The ITDCA is a long way from becoming law, and especially when Congress is attending to high-profile issues such as the pandemic and the filibuster.  However, its introduction and the attention it has received are signs that there is some interest at the federal level to push for a single, national privacy framework that could establish clear standards for both business and consumers.  We know that privacy is a growing area of concern for regulators across the globe as well as across the country.  It remains to be seen whether Congress believes the time is right to join the privacy club.