The House Energy and Commerce Committee (E&C) released an initial draft of a bipartisan Federal privacy bill on Dec. 18.
The draft legislation, a summary of which was obtained by MeriTalk, covers a wide array of privacy issues. The bill primarily focused on giving the Federal Trade Commission (FTC) new requirements and responsibilities.
“Committee staff have circulated a bipartisan staff discussion draft of comprehensive federal privacy legislation,” an Energy and Commerce spokesperson told The Hill. “This draft seeks to protect consumers while also giving data collectors clear rules of the road. It reflects many months of hard work and close collaboration between Democratic and Republican Committee staff.”
However, E&C member Rep. Cathy McMorris-Rodgers, R-Wash., noted that the legislation is by no means finalized – in a statement, she emphasized that the draft is unfinished. She has been working alongside Rep. Jan Schakowsky (D-Ill.), a key Democrat on the committee.
“This staff draft is not a finished product but will serve as an important step in the process for us to solicit feedback and continue to negotiate a final bill,” McMorris-Rodgers said. “I’m appreciative of the bipartisan staff work that has gone into this and am committed to continue working with Chair Schakowsky [D, Ill.] towards a bipartisan privacy bill.”
If the legislation passes, the FTC will be required to issue a host of new regulations, including requiring entities to:
- Publish privacy policies in “plain and concise” English and other relevant languages “depending on targeted audiences;”
- Establish privacy programs, which cover both privacy and other risks resulting from the collection and processing of personal information;
- Establish “reasonable” data security measures “consistent with the size, scope, nature, and complexity of the covered entity’s business activities.” Additionally, entities are required to conduct periodic assessments of those measures;
- Notify the FTC of a data breach and submit their security policies to the Commission in the event of a breach; and
- Bans entities from using “take-it-or-leave-it” in their data privacy policies. It also prohibits the use of financial incentives to entice users to waive their privacy rights.
E&C’s draft bill would also require the FTC to:
- Establish “affirmative rights of individuals to control their information through the rights to access, correct, and delete information held by covered entities, with limited exceptions;”
- Develop rules to ensure that data is only retained by entities for a time period that is “reasonably necessary for the purpose for which the covered information is processed;”
- Ensure that the disclosure of information covered under the legislation to third parties is limited unless certain conditions are met. The legislation notes that for entities to disclose information to data processors there must be a contract which prohibits further processing of information and requires te processor to provide policy and security protections;
- Create a centralized registry of information brokers where consumers can both identify information brokers and learn how to exercise their rights to access, correct, and delete information held about them;
- Tackle the discriminatory use of data. To do so, the FTC is required to submit reports to every two years which detail discriminatory uses of data, enforcement actions taken, the FTC’s enforcement priorities, resources the FTC needs, and developments in technology to process covered information that may result in discrimination;
- Create a Bureau of Privacy within the FTC, the Bureau would include new certified privacy professionals; and
- Establish an Office of Business Mentorship within the new Bureau of Privacy. The Office would “consult with business, provide guidance, and help them comply with the law.”
In terms of enforcing the new legislation, Congress would grant the FTC civil penalty authority for the first instance of an entity violating the legislation. It would also provide state attorneys general with the authority to enforce the Federal legislation in the same manner as the FTC.
The deadline for Congressional feedback on the legislation is Jan. 24.