H. R. 1816
IN THE HOUSE OF REPRESENTATIVES
March 11, 2021
Ms. DelBene (for herself, Mr. Kilmer, Ms. Strickland, Ms. Houlahan, Mr. Blumenauer, Mr. Himes, Mr. Crist, Mr. Larson of Connecticut, Ms. Wild, Mr. Perlmutter, Mr. Cartwright, Mr. Horsford, Mr. Case, Mr. Ryan, Ms. Slotkin, Ms. Schrier, Mr. Beyer, Mr. Larsen of Washington, and Mr. Costa) introduced the following bill; which was referred to the Committee on Energy and Commerce
To require the Federal Trade Commission to promulgate regulations related to sensitive personal information, and for other purposes.
This Act may be cited as the
Information Transparency & Personal Data Control Act.
Sense of Congress
It is the Sense of Congress that—
the United States must develop a balanced, high-standard digital privacy framework that complements global standards;
a key element of this framework is a strong national standard that combats anti-consumer practices;
it is critical that the Federal Government provide guidance on the collection, processing, disclosure, transmission and storage of sensitive data;
it is important to provide the Nation with fair and thoughtful digital consumer rights with respect to such data;
it is important to ensure that enforcement authorities have the resources needed to protect consumers from unlawful and deceptive acts of practices in the data privacy and security space; and
individuals have a right to—
exercise control over the personal data companies collect from them and how they use it;
easily understandable and accessible information about privacy and security practices;
expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data;
secure and responsible handling of sensitive personal information;
access and correct persona data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate; and
reasonable limits on the personal data that companies collect and retain.
Requirements for sensitive personal information
Not later than 18 months after the date of enactment of this Act, the Federal Trade Commission shall promulgate regulations under section 553 of title 5, United States Code, to require, except as provided in subsection (b), controllers, processors, and third parties to make available to the public involving the collection, transmission, storage, processing, sale, sharing of sensitive personal information, or other use of sensitive personal information from persons operating in or persons located in the United States when the sensitive personal information is collected, transmitted, stored, processed, sold or shared to meet the following requirements:
Affirmative, express, and opt-in consent
Any controller shall provide users whose personal information is collected, transmitted, stored, process, sold, or otherwise shared with notice through a privacy and data use policy of a specific request to collect, transmit, sell, share or otherwise disclose their sensitive personal information and require that users provide affirmative, express consent to any functionality that involves the sale, sharing, or other disclosure of sensitive personal information, including sharing sensitive personal information with third parties, if the sensitive personal information is to be used by the third party for purposes other than the purposes outlined in the notice.
The documented instruction from a controller to a processor or third party shall adhere to the limits of the consent granted in subparagraph (A), and processors and third parties shall not use or disclose the sensitive personal information for any other purposes or in any way that exceeds the limits of the consent granted in subparagraph (A).
Controllers and processors shall not be liable for the failure of another processor or third party to adhere to the limits of an opt-in consent granted under subparagraph (A).
Privacy and data use policy
Controllers, processors, and third parties shall publicly maintain an up-to-date, transparent privacy, security, and data use policy that meets general requirements, including that such policy, presented in the context where it applies—
is concise, intelligible, and uses plain language;
is clear and conspicuous consistent with the guidelines of the Federal Trade Commission;
uses visualizations, where appropriate to make complex information understandable by the ordinary user; and
is provided free of charge.
Additional requirements for privacy and data use policy
The privacy, security, and data use policy required under paragraph (2) shall include the following:
Identity and contact information of the entity collecting or processing the sensitive personal information.
The purpose or use for collecting, storing, processing, selling, sharing, or otherwise using the sensitive personal information.
Categories of third parties with whom the sensitive personal information will be shared and for what general purposes.
The process by which individuals may withdraw consent to the collecting, storing, processing, selling, sharing, or other use of the sensitive personal information, including sharing with third parties.
How a user, controller, or processor can view or obtain the sensitive personal information that they have received or provided to a controller or processor, including whether it can be exported to other web-based platforms.
The categories of sensitive personal information that is collected by the controller or processor and shared with processors or third parties.
How sensitive personal information is protected from unauthorized access or acquisition.
For any collection, transmission, storage, processing, selling, sharing, or other use of non-sensitive personal information, including sharing with third parties, controllers shall provide users with the ability to opt out at any time.
Controllers shall honor an opt out request from a user under subparagraph (A) to the extent of its role in any collection, transmission, storage, processing, selling, sharing, or other use of non-sensitive personal information and shall communicate an opt-out request to the relevant processor or third party with which the controller has shared information regarding that user.
Processors or third parties receiving an opt out pursuant to subparagraph (A) and (B) shall comply with such opt out to the extent of their role in any collection, transmission, storage, processing, selling, sharing, or other use of non-sensitive personal information.
Any controller that communicates an opt out from a user as required by subparagraph (B) shall not be liable for the failure of a service provider or third party to comply with such opt out.
Relationship Between Controller and Processor
Processing by a processor must be governed by a contract between the controller and the processor that is binding on both parties and that sets the processor to processes the personal data only on documented instructions from the controller.
Processors shall share sensitive personal information with a subcontractor only for purposes of providing services and only after first providing the controller with an opportunity to object.
In no event may any contract or documented instructions relieve a controller or a processor from the obligations and liabilities imposed on them by this Act.
Except as provided in subparagraphs (C) and (D), at least once every 2 years, each controller, processor, or third party that has collected, transmitted, stored, processed, selling, shared, or otherwise used sensitive personal information shall—
obtain a privacy audit from a qualified, objective, independent third-party; and
shall make publicly available whether or not the privacy audit found the controller, processor, or third party compliant.
Each such audit shall—
set forth the privacy, security, and data use controls that the controller, processor, or third party has implemented and maintained during the reporting period;
describe whether such controls are appropriate to the size and complexity of the controller, processor, or third party, the nature and scope of the activities of the controller, processor, or third party, and the nature of the sensitive personal information or behavioral data collected by the controller, processor, or third party;
certify whether the privacy and security controls operate with sufficient effectiveness to provide reasonable assurance to protect the privacy and security of sensitive personal information or behavioral data, including with respect to data shared with third parties, and that the controls have so operated throughout the reporting period;
be prepared and completed within 60 days after a substantial change to the controller’s privacy and data use policy described in paragraph (2); and
to the Federal Trade Commission; and
to any attorney general of a State, or other authorized State officer, within 10 days of receiving written request by the such attorney general, or other authorized State officer where such officer has presented to the controller, processor, or third party allegations that a violation of this Act or any regulation issued under this Act has been committed by the controller, processor, or third party.
Small business audit exemption
The audit requirements described in this paragraph shall not apply to controllers who collect, store, process, sell, share, or otherwise use sensitive personal information relating to 250,000 or fewer individuals per year.
Non-sensitive personal information exemption
The audit requirements set forth above shall not apply to controllers, processors or third parties who do not collect, store, process, sell, share, or otherwise use sensitive personal information.
Rules that do not incentivize selling information
The Commission shall promulgate rules regarding qualifications and requirements of third-party auditors such as a duty to conduct an independent assessment that does not incentivize the auditor to sell under the guise of a potential violation by the controller products or services when there is not a violation of the Act.
Necessary operations and security purposes
Subsection (a) shall not apply to the processing, transmission, collecting, storing, sharing, selling of sensitive and non-sensitive personal information for the following purposes:
Preventing or detecting fraud, identity theft, unauthorized transactions, theft, shoplifting, or criminal activity including financial crimes and money laundering.
The use of such information to identify errors that impair functionality or otherwise enhancing or maintaining the availability of the services or information systems of the controller for authorized access and use.
Protecting the vital interests of the consumer or another natural person.
Responding in good faith to valid legal process or providing information as otherwise required or authorized by law.
Protecting the property, services, or information systems of the controller, processor, or third party against unauthorized access or use.
Advancing a substantial public interest, including archival purposes, scientific or historical research, and public health, if such processing does not create a significant risk of harm to consumers.
Uses authorized by the Fair Credit Reporting Act or used by a commercial credit reporting agency.
Completing the transaction for which the personal information was collected, provide a good or service requested by the consumer that is reasonably anticipated within the context of a business’ ongoing relationship with the consumer, bill or collect for such good or service or otherwise perform a contract between the controller and a consumer.
Complying with other Federal, State, and local law.
Conducting product recalls and servicing warranties.
Reasonable expectation of users
The regulations promulgated pursuant to subsection (a) with respect to the requirement to provide opt-in consent shall not apply to the processing, transmission, storage, selling, sharing, or collection of sensitive personal information in which such processing does not deviate from purposes consistent with a controller’s relationship with users as understood by the reasonable use, including but not limited to—
carrying out the term of a contract or service agreement, including elements of a customer loyalty program, with a user;
accepting and processing a payment from a user;
completing a transaction with a user such as through delivering a good or service even if such delivery is made by a processor or third party;
marking goods or services to a user as long as the user is provided with the ability to opt out of such marketing;
taking steps to continue or extend an existing business relationship with a user, or inviting a new user to participate in a customer promotion, benefit or loyalty program, as long as the user is provided with the ability to opt out;
conduct internal research to improve, repair, or develop products, services, or technology; or
Application and enforcement by the Federal Trade Commission
Notwithstanding the limitations in the Federal Trade Commission Act (15 U.S.C. 41 et seq.) on Commission authority with respect to common carriers, this Act applies, according to its terms, to common carriers subject to the Communications Act of (47 U.S.C. 151 et seq.) and all Acts amendatory thereof and supplementary thereto. The Federal Trade Commission shall be the only Federal agency with authority to enforce such common carriers’ privacy practices.
Unfair or deceptive acts or practices
A violation of this Act or a regulation promulgated under this Act shall be treated as a violation section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57(a)(1)(B)) regarding unfair or deceptive acts or practices.
Powers of commission
Except as provided in subsection (a), the Federal Trade Commission shall enforce this Act and the regulations promulgated under this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any person who violates this Act or a regulation promulgated under this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.
Nothing in this Act shall be construed to limit the authority of the Federal Trade Commission under any other provision of law.
Opportunity to Comply
The Commission shall notify a controller of alleged violations and provide them with 30 days to cure a non-wilful violations of this Act before the Commission shall commence and enforcement action.
Enforcement by State attorneys general
Right of action
Except as provided in subsection (e), the attorney general of a State, alleging a violation of this Act or any regulation issued under this Act that affects or may affect such State or its residents may bring an action on behalf of the residents of the State in any United States district court for the district in which the defendant is found, resides, or transacts business, or wherever venue is proper under section 1391 of title 28, United States Code, to obtain appropriate injunctive relief.
Notice to commission required
A State shall provide prior written notice to the Federal Trade Commission of any civil action under subsection (a) together with a copy of its complaint, except that if it is not feasible for the State to provide such prior notice, the State shall provide such notice immediately upon instituting such action.
Intervention by the commission
The Commission may intervene in such civil action and upon intervening—
be heard on all matters arising in such civil action; and
file petitions for appeal of a decision in such civil action.
Nothing in this section shall be construed—
to prevent the attorney general of a State, or other authorized State officer, from exercising the powers conferred on the attorney general, or other authorized State officer, by the laws of such State; or
to prohibit the attorney general of a State, or other authorized State officer, from proceeding in State or Federal court on the basis of an alleged violation of any civil or criminal statute of that State.
No separate action
An action may not be brought under subsection (a) if the same alleged violation is the subject of a pending action by the Commission or the United States.
Exclusive period to act by commission
may not be brought under subsection (a) until the expiration of the 60-day period that begins on the date on which a violation is discovered by the Commission or the date on which the Commission is notified of the violation; and
may only be brought under subsection (a) if the Commission does not bring an action related to the violation during such period.
Opportunity to Comply
Prior to bringing any action under this section, the state attorney general shall notify a controller of alleged violations and provide them with 30 days to cure a non-wilful violations of this Act before commencing an enforcement action.
Privacy and data security employees and funding for the Commission
The Commission shall hire 500 new full-time employees to focus on privacy and data security, 50 of which shall have technology expertise.
Additional funding for privacy and data security
There is authorized to be appropriated to the Commission $350,000,000 for issues related to privacy and data security.
In this Act the following definitions apply:
Call detail record
The term call detail record—
means session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call;
does not include—
the contents (as defined in section (8) of title 18, United States Code) of any communication;
the name, address, or financial information of a subscriber or customer;
cell site location or global positioning system information; or
Clear and prominent
The term clear and prominent means in any communication medium, the required disclosure is—
of a type, size, and location sufficiently noticeable for an ordinary consumer to read and comprehend the communication;
provided in a manner such that an ordinary consumer is able to read and comprehend the communication;
is presented in an understandable language and syntax;
includes nothing contrary to, inconsistent with, or that mitigates any statement contained within the disclosure or within any document linked to or referenced therein; and
includes an option that is compliant with applicable obligations of the controller under title III of the Americans with Disabilities Act of 1990 (42 U.S.C. 12181 et seq.).
The term collection means buying, renting, gathering, obtaining, receiving, or accessing any sensitive data of an individual by any means.
The term Commission means the Federal Trade Commission.
The term controller means a person that, on its own or jointly with other entities, determines the purposes and means of processing sensitive personal information.
The term de-identified data means information held that—
does not identify, and is not linked or reasonably linkable to, and individual or device;
does not contain a persistent identifier or other information that could readily be used to de-identify the individual to whom, or the device to which, the identifier or information pertains;
is subject to a public commitment by the entity;
to refrain from attempting to use such information to identify any individual or device;
to adopt technical and organizational measures to ensure that such information is not linked to any individual or device; and
is not disclosed by the covered entity to any other party unless the disclosure is subject to a contractually or other legally binding requirement.
The term employee data means—
information relating to an individual collected in the course of the individual acting as a job applicant to, or employee (regardless of whether such employee is paid of unpaid, or employed on a temporary basis), owner, director, officer, staff member, trainee, vendor, visitor, volunteer, intern, or contractor;
business contact information of an individual, including the individual’s name, position or title, business telephone number, business address, business email address, qualifications, and other similar information that is provided by an individual who is acting in a professional capacity, provided that such information is collected, processed, or transferred solely for purposes related to such individuals’ professional activities; or
emergency contact information collected by a covered entity that relates to an individual who is acting in a role described in subparagraph (A).
Sensitive personal information
The term sensitive personal information means information relating to an identified or identifiable individual that is—
financial account numbers;
any information pertaining to children under 13 years of age;
Social Security numbers;
unique government-issued identifiers;
authentication credentials for a financial account, such as a username and password;
precise geolocation information;
content of a personal wire communication, oral communication, or electronic communication such as e-mail or direct messaging with respect to any entity that is not the intended recipient of the communication;
call detail records for calls conducted in a personal and not a business capacity;
sexual orientation, gender identity, or intersex status;
citizenship or immigration status;
mental or physical health diagnosis;
religious beliefs; or
web browsing history, application usage history, and the functional equivalent of either that is data described in this subparagraph that is not aggregated data.
The term sensitive personal information does not include—
de-identified information (or the measurement, analysis or process utilized to transforming personal data so that it is not directly relatable to an identified or identifiable consumer);
information related to employment, including any employee data;
personal information reflecting a written or verbal communication or a transaction between a controller and the user, where the user is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency and whose communications or transaction with the controller occur solely within the context of the controller conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency; or
publicly available information.
The term State means each State of the United States, the District of Columbia, and each commonwealth, territory, or possession of the United States.
The term third party means an individual or entity that uses or receives sensitive personal information obtained by or on behalf of a controller, other than—
a service provider of a controller to whom the controller discloses the consumer’s sensitive personal information for an operational purpose subject to section 3(a)(1)(B) of this Act; and
any entity that uses sensitive personal information only as reasonably necessary—
to comply with applicable law, regulation, or legal process;
to detect, prevent, or mitigate fraud or security vulnerabilities; or
does not determine the purposes and means of processing sensitive personal information.
The term transfer means to disclose, release, share, disseminate, make available, or license in writing, electronically or by any other means, for consideration of any kind for a commercial purpose.
Rules of construction
Nothing in this Act may be construed to preclude the acquisition by the Federal Government of—
the contents of a wire or electronic communication pursuant to other lawful authorities, including the authorities under chapter 119 of title 18, United States Code (commonly known as the
Wiretap Act), the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), or any other provision of Federal law not specifically amended by this Act; or
records or other information relating to a subscriber or customer of any electronic communication service or remote computing service (not including the content of such communications) pursuant to the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), chapter 119 of title 18, United States Code (commonly known as the
Wiretap Act), or any other provision of Federal law not specifically amended by this Act.
Effect on other laws
Nothing in this Act shall be construed to limit or substitute for the requirements under title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191), section 444 of the General Education Provisions Act (commonly known as the Family Educational Rights and Privacy Act of 1974) (20 U.S.C. 1232g), the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
Relationship to state law
No State or political subdivision of a State may adopt, maintain, enforce, or continue in effect any law, regulation, rule, requirement, or standard related to the data privacy or associated activities of covered entities.
Subsection (a) shall not be construed to—
preempt State laws that directly establish requirements for the notification of consumers in the event of a data breach;
preempt State laws that directly establish requirements regarding biometric laws;
preempt State laws regarding wiretapping laws; or
preempt State laws like the Public Records Act.
This Act shall take effect 180 days after the date of the enactment of this Act.