Representative Susan DelBene (D-WA-1) proposed a unified framework for data privacy protection with the Information Transparency & Personal Data Act of 2019. The bill expands the scope of sensitive personal information (SPI)—the class of data that deems protection—and requires the Federal Trade Commission (FTC) to regulate and enforce firms’ data security measures.
An existing legal definition of SPI covers personal identifiers (name, social security number, date and place of birth, mother’s maiden name, biometric records), and information on education, financial transactions, medical and criminal history. Under this bill, SPI is set to explicitly include also the content of wire, oral, and electronic conversations; call detail records such as originating and receiving telephone numbers and the duration of a telephone call; web-browsing and app-usage history; genetic data; sexual orientation; religious beliefs; information on children under the age of thirteen; usernames and passwords; and precise geolocation. Excluded from this definition are employment data, de-identified information, and publicly available information.
Within one year of enactment the FTC will require service providers that collect SPI to present users with a concise, clear, and intelligible privacy and data usage policy free of charge. Data usage policies must outline how SPI is collected and stored, and for what purpose and with whom it is shared. Users will be entitled to opt in or out of data collection, storage, and usage (including sale) at any time and be properly informed on how to do so. Service providers are required to support users’ access and export of own SPI.
The FTC must also require service providers collecting SPI to undergo annual privacy audits from independent third parties. The auditor will certify that the security measures are adequate to the nature and scale of the data collected. Exempt from auditing are those firms that collect data from less than 5,000 individuals, as well as those firms that collect data other than SPI.
Service providers will have no limitation on their collection and use of behavioral data— information like users’ page views, email sign-ups, and product preferences. Yet, auditing of security measures would apply to behavioral data as well.
Violations of these rules will be considered unfair or deceptive practices and persecuted under the Federal Trade Commission Act. There are important exemptions:
- Disclosure requirements will not apply to any use of SPI for security purposes spanning from the protection of the public interest to vital individual interests, preventing criminal activities, or auditing companies’ processes.
- Opt-in consent for “processing, storage, and collection” of SPI will not be necessary if those activities are consistent with the service being offered by the entity collecting the information. Nevertheless, users will need to explicitly agree to other uses of their SPI like sale and sharing with third parties.
- This act does not preclude the federal government from acquiring SPI’s for national security purposes under the Wiretap Act and the Foreign Intelligence Surveillance Act of 1978.
“This proposal would significantly strengthen the FTC’s enforcement capabilities, establish uniform national rules for the digital economy, and ensure businesses are focused on protecting consumers’ most sensitive information” said Daniel Castro, Vice President of the Information Technology and Innovation Foundation. Current US regulation leaves data protection under different frameworks depending on the nature of the data. For instance, health data fall under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), data collected by financial institutions under the Gramm-Leach-Bliley Act of 1999, and data collected by federal agencies under the Federal Information Security Management Act (FISMA) of 2002.
The bill complements the current regulation, without limiting it, and by proposing a unified framework for data privacy protection, it would bring US protection of digital rights closer to the General Data Protection Regulation (GDPR) of the European Union.