Data privacy is vital to both companies and the individual. Data privacy gives individuals the right to know how their personal identifying information is being utilized and protects people from uninvited surveillance. For nonprofits and big corporations, data privacy dictates how personal data about consumers and employees is internally collected, stored and shared with third parties. Personally identifiable information (“PII”) includes social security numbers, tax identification numbers, credit card information, health data, immigration status and other related information. Companies are currently subject to a patchwork of state-specific data breach notification and data privacy laws that outline required data security practices and rights of action. As such, many of the ITPDCA’s provisions were adopted from state data privacy laws and proposals. If enacted, the ITPDCA will preempt all state data privacy laws and replace the current jurisdiction-specific patchwork with a single nationwide data privacy regulatory system.
Overview of the ITPDCA
The ITPDCA protects every U.S. resident’s PII and all information for children under the age of 13. The Act does not consider employment information, de-identified information and public information as sensitive PII. In addition to federal preemption, there are five key elements of the ITPDCA:
- Companies are required to provide their data privacy policies to consumers and employees (collectively, “users”) in “plain English” within 90 days of the Act’s passage.
- Companies must disclose if PII will be shared, who the PII is shared with and the purpose of the data sharing to users.
- Users must “opt-in” before companies utilize their PII. This requirement ensures that users are provided with full transparency and control over their sensitive information.
- The Federal Trade Commission (“FTC”) has the enforcement power and regulatory authority to track quickly evolving digital trends and fine ITPDCA violators. The Act grants the FTC $350,000,000 in additional funding to hire 500 new full-time employees. State Attorney Generals may also pursue violators if the FTC does not act on a complaint within 60 days.
- Every two years a “neutral” entity is required to conduct a privacy audit of companies holding PII from 250,000 or more users to ensure ITPDCA compliance.
Business-Friendly Components of the ITPDCA
Though companies are not permitted to “contract out” of their obligations under the ITPDCA, other components of the Act are considered business-friendly and could result in bi-partisan support. These three components are (1) federal preemption; (2) the lack of a private right of action for individuals; and (3) the lack of artificial intelligence and facial recognition technology regulations. Of course, the same features that make the proposed law “business-friendly” are contentious and opposed by consumer advocates.
Federal preemption allows federal law to take precedence over and displace state laws due to the Supremacy Clause of the United States Constitution. If enacted, the ITPDCA will preempt all state data privacy laws and replace the current jurisdiction-specific patchwork with a single nationwide data privacy regulatory system. The ITPDCA will not preempt state-specific data breach notification laws, wiretapping laws or biometric data regulation laws.
Federal preemption is favored by companies since following one national law eases compliance and saves legal costs. Currently, companies must stay up-to-date with differing and sometimes conflicting state laws in order to ensure nationwide data privacy compliance. Trade organizations, including the National Retail Federation, the Main Street Privacy Coalition and the U.S. Chamber of Commerce have voiced their support for ITPDCA’s federal preemption provision.
Lack of a Private Right of Action for Consumers
A private right of action would permit consumers to bring individual lawsuits against companies violating ITPDCA provisions. Unlike the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”), the ITPDCA does not provide consumers with a private right of action to sue violators. Rather, the ITPDCA provides the FTC with all investigation and enforcement power and permits State Attorney Generals to only pursue ITPDCA violations that the FTC has not addressed within 60 days.
The number of private data privacy lawsuits is increasing steadily, and eliminating a private right of action can limit corporate liability and lower litigation costs. In 2020, 73 class action lawsuits were filed in or removed to federal court by plaintiffs with standing under CCPA’s private right of action to pursue statutory damages after ransomware attacks and data security breaches leaked sensitive PII. Even more plaintiffs filed suit in state court without removing the case to a federal forum or filed singularly outside of the class action mechanism. Due to federal preemption, the passing of the ITPDCA would eliminate the CCPA’s private right of action.
Lack of Artificial Intelligence and Facial Recognition Technology Regulations
The ITPDCA lacks any mention of or regulation regarding artificial intelligence (“AI”) such as facial recognition systems (“FRS”). AI, and FRS specifically, have developed at an exponential rate and raise many legal and technical issues concerning individual privacy, data protection and technological algorithmic bias leading to misidentification. Most notably, FRS lacks standardization across companies and out of 189 FRS tested, every single system had disproportionately higher false positive rates for Asian, Native American, and African American individuals. African American women have the highest risk of FRS misidentification.
A lack of AI and FRS regulations in the ITPDCA means technology companies can continue to develop and sell FRS to the highest bidders without worrying about individual privacy or racial and gender algorithmic bias. Notably, FRS utilizing thorough Internet data scans and geolocation tracking has been infamously used by law enforcement to identify protestors exercising their constitutional rights. Although there is no existing U.S. federal legislation regulating the use of AI and FRS, many U.S. states and cities have enacted regulations that severely restrict or ban the use of FRS by police and technology companies. Representative DelBene said the priority is to first enact a comprehensive data privacy law and to then craft technology-specific ITPDCA amendments.
Congress may finally be ready to act in the privacy arena, and the ITPDCA would be an important step towards a consistent U.S. privacy scheme similar to that in force in the European Union. Numerous compromise proposals are floating around to address the most contentious issues of federal preemption and a private right of action. Until the bill is passed into law, it is important for businesses to comply with current and newly-enacted state data privacy laws. Lutzker & Lutzker will continue to provide updates on developments in federal and state data privacy legislation and is available to draft business privacy policies and answer questions about compliance with existing laws.