As Internet use spread, accessing and storing data became easier for people to access without authorization. Protection of personal data was a concern for years before the European Union enacted its General Data Protection Regulation (GDPR) in 2016. Since then, businesses worldwide have been held to high standards with the real possibility of massive fines. US Companies with links to EU residents have been forced to comply also. Now, a new bill presented in the House of Representatives – the Information Transparency and Personal Data Act – could give the US its own GDPR-type law.
The Intention Behind the Information Transparency and Personal Data Control Act
Legislators hope to improve consumer privacy by enacting the Information Transparency and Personal Data Control Act (the “Act”). In fact, lawmakers designed the Act to “establish a uniform set of rights for consumers and create one set of rules for businesses to operate in.”
The Act itself states that the United States needs a “balanced, high-standard digital privacy framework that complements global standards.” Without explicitly mentioning the GDPR, legislators appear to want a system that does not copy the GDPR but, instead, works in harmony with it.
Several tech organizations support the Act, which also contains concessions for businesses.
The Future of Personal Data Protection in the United States
If the Act passes in its current form, the following provisions may come into play:
- Definitions of sensitive personal information, including financial account numbers, biometric information, and precise geolocation data.
- Exclusions from the sensitive personal information definition, including publicly available information.
- Opt-in-consents for consumers to allow the use of their personal data.
- Opt-out consents to allow consumers to deny the use of their data.
- Regulations over the controller-processor relationship.
- Requirements for controllers and processors to engage a qualified third-party to run privacy audits every two years. However, this applies only to companies that process sensitive information for more than 250,000 people per year.
- Actions exempt from the bill, including fraud detection, enforcing agreements, and completing the transaction in progress.
- Federal Trade Commission (FTC) and state enforcement.
- State preemption, meaning the Act will override some state laws.
- No private right of action, which means consumers cannot sue under this act. Only the FTC and state authorities can enforce the Act.
If the bill becomes law, the FTC has 18 months to prepare and publish regulations. Businesses may have to hire additional personnel or buy software to stay in compliance. However, companies currently complying with the GDPR may already be close to achieving the Act’s objectives.
About the Author
Attorney Richard Sierra at the Florida Small Business Center assists clients like you with business and litigation matters. As always, Our Goal Is to Help You Succeed™. For an appointment, you may call us at 1-866-842-5202 or use the contact form on our website. We represent clients throughout the State of Florida, including Coral Springs, Coconut Creek, Boca Raton, Delray Beach, Pompano Beach, Sunrise, Fort Lauderdale, Miami, West Palm Beach, Jupiter, Deerfield Beach, Stuart, Port St. Lucie, Orlando, Naples, Fort Myers, Sarasota, Tampa, and surrounding communities.