It is often a surprise to clients, especially non-U.S.-based clients, to learn that there is no true federal consumer data privacy law in the United States. Rather, this vacuum has been filled by state laws, resulting in a patchwork of compliance for companies that do business nationwide. Typically, for companies, this has meant adhering to the most restrictive laws, which, historically, have been California state data privacy laws (the California Online Privacy Protection Act, California Consumer Privacy Act, and forthcoming California Privacy Rights Act). As of today, another 10 states, including New Jersey, New York, and Massachusetts, continue to actively pursue their own consumer privacy laws that would add to this increasingly intricate patchwork of regulations. It seems inevitable that this path will lead to divergent—or worse yet, conflicting—rules, definitions, and policies.
Enter Representative Suzan DelBene (D-Washington) and the Information Transparency and Personal Data Control Act (ITPDCA).
Introduced in March, the ITPDCA is the latest effort from Congress to set uniform federal standards for consumer data privacy. While federal data privacy bills have been introduced by both the House and the Senate in previous sessions, this latest bill by Rep. DelBene may gain traction and bipartisan support, as it includes some "business friendly" components, such as federal preemption of state privacy regimes and the lack of an individual private right of action.
Among the ITPDCA's primary provisions are notice of and consent for data collection and sharing, the ability for a consumer to opt out of the sale of their personal information, standardized requirements for privacy policies, and authorization of the Federal Trade Commission to promulgate rules to enforce the act.
The bill will almost certainly undergo substantial evolution before potentially being signed into law, but if nothing else, it marks a reengagement by Congress on the issue of consumer data privacy and will likely spur other bills to be introduced or reintroduced. As this issue develops, we will continue to track the ITPDCA and other notable bills and provide key updates in the Day Pitney Cybersecurity, Health and Technology (C.H.A.T.) Newsletter.
 While previous federal acts targeting specific industries, such as the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Health Insurance Portability and Accountability Act, have included some provisions relating to data privacy, they are not general consumer data privacy bills akin to the European Union’s General Data Protection Regulation.
Would you like to receive our Day Pitney C.H.A.T. Newsletter? Sign up here.