New Federal Data Privacy Legislation Proposed

In late March 2021, Representative Susan DelBene (D-WA 01) introduced legislation to the 116th Congress to protect consumer privacy and put control of consumers’ data in their own hands.

DelBene noted that states are surging ahead of the federal government in creating privacy laws, each with their own flavor and each serving the needs of a particular constituency/demographic. DelBene argued that having a federal policy will stem consumer confusion and put the United States back into the conversation on global privacy policies. The EU, for example, is pushing their General Data Protection Regulation (GDPR) as the global standard.

The Information Transparency and Personal Data Control Act (pdf) will ensure that an individual’s personal identifying information (PII), and all information pertaining to children under the age of 13, are protected. The bill requires:

  • Companies produce their privacy policies in “plain English” within 90 days of the bill’s passage.
  • Users must “opt in” before companies my use their sensitive PII. In doing so, the user is made aware of how the information may be used and more importantly how it is not to be used. Companies will have 90 days to put in place this capability once the legislation becomes law.
  • Companies must be transparent when it comes to sharing user information – who, what, where, how and why.
  • The Federal Trade Commission (FTC) will be given the authority to fine bad actors on their first offense and empower state attorneys general to pursue offenders. If the FTC doesn’t act on a complaint within 60 days, the state attorney general may pursue legal remedies.
  • Trust, yet verify by requiring, every two years, a “neutral” privacy audit to ensure companies (with information from 250,000 or more people) are handling PII in accordance with the provisions of the Act.

The bill will provide to the FTC 50 additional full-time employees, of which 15 must be technical experts (not further defined), and initial funding for the program will be $35 million.

Shannon Taylor, senior vice president and senior counsel, Government Affairs, Information Technology Council said, “A comprehensive, national privacy law remains a top policy priority to enable innovation while upholding the individual rights of citizens who entrust companies with their personal data.”

DelBene added, “Having a federal policy is important to have a consistent policy. But it’s also important because, if we’re going to help set global standards, we have to have a domestic policy, and in the absence of domestic policy, it’s unclear what we’re striving for internationally.”

Her timing was impeccable, given that a couple weeks prior, U.S. District Judge Lucy Koh ruled that the $5 billion class-action lawsuit alleging Google’s Incognito tracking policies violate federal wiretap laws, may proceed. Judge Koh noted, with a tinge of irony, how her own court’s website was being scraped by Google. Google explained they were only collecting data to “maintain and improve Google services.”

What the bill is missing is reference to artificial intelligence and facial recognition, both topics which are being used (some would say exploited) by companies in their engagement with consumers. DelBene, when pressed on the issue, said there is an urgent need to have in place a general national consumer privacy and data protection infrastructure, and that there is ample time and space to craft technology specific legislation in the future.

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 186 posts and counting.See all posts by burgesschristopher

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)