A draft of a bipartisan federal comprehensive privacy bill was published on Friday, June 3rd. The proposed bill — entitled the “American Data Privacy and Protection Act”— would “provide consumers with foundational privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.”
The proposed bill contains a slew of definitions, which include a number of terms that have been trending in privacy news, such as “biometric information”, “genetic information”, and “targeted advertising.”
Divided into four sections, consumer data rights would include the right to:
- Access certain data from a covered entity;
- Correct inaccurate or incomplete information within that data;
- Delete covered data; and
- Receive such data in a portable format.
The amount of time that covered entities will have to respond to an individual consumer request will depend on the size of an entity (e.g., “large data holders” will have 30 days from verification of the request).
Additionally, covered entities will also need to comply with a consumer’s right to consent and/or object to the processing of sensitive data, as well as will need to provide mechanisms for consumers to opt out of covered data transfers and targeted advertising.
Some other crucial provisions that can be found under Title II of the proposed bill include the following:
- Specific data protections for children and minors;
- Obligations for covered third party entities;
- Instructions for privacy notices and policies;
- Requirements for data security and protection programs; and
- Clauses pertaining to civil rights protections and algorithms, including the need for covered entities to conduct algorithm impact assessments.
Title III of the draft would hold corporations and their executives responsible for certifying to the FTC that they have implemented reasonable controls as required by the act and reporting structures that ensure compliance with its provisions. Some notable requirements for covered entities include:
- The designation of at least one privacy officer and one data security officer;
- The implementation of a data privacy program and a data security program; and
- Sets forth additional requirements for covered entities that qualify as “large data holders”, which is defined in the bill.
Entities that qualify as large data holders would also be required to conduct privacy impact assessments (“PIAs”) that consider emerging technologies, such as blockchain or other advancements “used [by the large data holder] to secure covered data.”
According to the current draft, the FTC would be granted the authority to enforce the Act and would be required to establish a new bureau to assist with the mission no later than one year after the bill is enacted.
The U.S. Attorney General and State Attorneys General (or chief consumer protection officer depending on the state) would also be permitted to commence civil actions against entities in violation of the Act on behalf of individuals and/or residents of their respective states. Both the FTC and the U.S. Attorney General would be required to deposit the amount of any civil penalty or other related relief to a newly established fund in the U.S. Treasury Department known as the “Privacy and Security Victims Relief Fund.”
The draft also provides a private right of action for individual lawsuits or class actions. However, this particular provision will not take effect until four years after the bill is enacted.
Notably, the federal act would preempt state laws already covered by its provisions, but contains exemptions for a number of federal and state laws relating to privacy and security, including the right to institute a civil action in the event of a personal information security breach (1798.150, Proposition 24, Sec. 16 (aka California’s “CPRA”).