Information Transparency & Personal Data Control Act (HR 2013, 116th Congress)

Policy Details

Policy Details

Originating Entity
Last Action
Referred to the House Committee on Energy and Commerce
Date of Last Action
Apr 1 2019
Congressional Session
116th Congress
Date Introduced
Apr 1 2019
Publication Date
May 2 2019
Date Made Public
Apr 1 2019

SciPol Summary

This bill requires the Federal Trade Commission (FTC) to establish and enforce regulations for entities (i.e., “Controllers”) handling sensitive user-data. At the beginning of the bill, it lists several findings regarding the government’s need to provide, advise, and enforce digital consumer rights and protections of sensitive user-data. Next, the bill continues on with several sections outlining requirements for the regulation of sensitive user-data, possible exemptions of such regulation, enforcement mechanisms of the FTC, State’s rights pertaining to data regulation, and lastly limitation to the bill’s provisions.

Per the definitions provided within the bill, sensitive user-data is defined as content pertinent to an identifiable individual including information such as:

  • Financial account information;
  • Health information;
  • Genetic and biometric data;
  • Information pertaining to children under the age of 13;
  • Social Security Numbers and other government-issued identifiers;
  • Authentication credentials (e.g., usernames and passwords);
  • Geolocation information;
  • Call, text, and internet browsing history;
  • Sexual and religious orientation; and
  • Any communication data shared beyond the intentions of the communicator.

Regarding the proposed regulatory requirements, the bill provides the following outline of regulations for the FTC to establish within a year of the bill’s passing:

  • Affirmative, Express, and Opt-In Consent: Controllers must provide users with specific requests of consent from the user to use, store, process, share, or sell any sensitive data collected.
  • Privacy and Data Use Policy: Controllers must ensure that users have unmitigated access to clear, concise, and current privacy and data use policies of the Controller. Per the bill, these policies must also include the following provisions:
    • Identification and contact information of the Controller and of any third-parties with access to sensitive data;
    • Indication of the explicit kinds of data collected as well as purpose and length of storage the Controller has for the sensitive data;
    • Instructions on how users may withdraw their consent to share sensitive information with the Controller;
    • Explanation of how collected sensitive data will be protected from unauthorized access or acquisition.
  • Privacy Audits: Controllers must obtain an audit of their privacy, security, and data use controls from a qualified and independent third-party. Audits will evaluate whether Controllers’ privacy, security, and data use controls are appropriate given the nature of the Controller and data collected. Controllers must also be prepared to publicize the audits and strategies to correct practices that are found to not be compliant.

Enforcement of these regulations will be provided by the FTC being authorized to treat any violations of these regulations similar to violations of the Federal Trade Commission Act regarding unfair or deceptive acts or practices. Should any State wish to bring action against a Controller it believes violates this bill, it may do so in the relevant district court so long as the FTC is given notice and is heard on any matters pertaining to the State’s action against the Controller.

Finally, to enable the FTC’s creation and enforcement of this bill’s required regulations, the bill also authorizes an appropriation of $35 million to FTC as well as requiring the FTC to hire new full-time employees (15 with relevant technology expertise) to focus on the FTC’s efforts regarding privacy and data security.

SciPol Summary authored by