The Information Transparency and Personal Data Control Act (ITPDCA) was introduced on March 10, 2021, and has been hailed as “the first piece of comprehensive privacy legislation introduced in the 117th U.S. Congress.” Many see the ITPDCA as a step towards a new US data privacy environment.
The purpose of the bill was to “establish a uniform set of rights for consumers and create one set of rules for businesses to operate in.”
The bill shares many similarities with the EU General Data Protection Regulation (GDPR) and is said to complement global standards. As with the GDPR, the bill focuses on protecting consumers’ sensitive personal information, and organizations must obtain express opt-in consent from their users before processing their sensitive personal data.
What does the Information Transparency and Personal Data Control Act Do?
The bill will give additional powers to the Federal Trade Commission (FTC), enabling them to dictate how organizations collect, transmit, store, process, sell, share, or otherwise use the sensitive personal information belonging to members of the American public. To help the FTC enforce the ITPDCA, they will be given an additional $350 million to hire 500 additional staff focused on privacy and data security, with 50 having technical expertise.
Is the ITPDCA Similar to GDPR?
As with the GDPR, the ITPDCA draws a distinction between data controllers and data processors, in order to ensure that data controllers are held accountable for the data governance practices employed by any third parties they share information with. In simple terms, the data controller determines the purposes and means of the processing of personal data, and the data processor processes personal data on behalf of the controller. It is not yet clear what the penalties will be for violations of the ITPDCA, although data controllers are given 30 days to cure unintentional violations of the bill.
How the ITPDCA Defines Sensitive Personal Information
The ITPDCA has defined “sensitive personal information” to include the following:
- Financial account numbers
- Health information
- Genetic data
- Any information pertaining to children under 13
- Social Security Numbers
- Unique government-issued identifiers
- Authentication credentials for a financial account, including username and password
- Precise geolocation information
- Content of personal communication, including email or text message, for any entity not an intended recipient
- Personal call detail records
- Biometric information
- Sexual orientation, gender identity, or intersex status
- Citizenship or immigration status
- Mental or physical health diagnosis
- Religious beliefs
- Web browsing history, application usage history, or the functional equivalent
Information that is publicly available or has been de-identified would not be considered sensitive personal information. Likewise, information relating to employees and non-confidential communications between the controllers, consumers, and business associates, would also be exempt from the definition.
Opt-In/Opt-Out Consents Under the ITPDCA
Data controllers are required to obtain “affirmative, express, and opt-in consent” before processing sensitive personal information, and will be held responsible for their processors’ failure to obtain consent. When dealing with non-sensitive personal information, controllers and processors are only required to provide opt-out provisions, and the controller will not be held responsible for the processor’s failure to comply.
Privacy Notices Under the ITPDCA
Privacy notices must be clear, conspicuous, and written in “plain” English. They must include:
- Contact information for the controller and processors
- Information about the purposes of processing
- Information about the third parties with whom the sensitive personal information will be shared
- The types of information that will be collected and shared
- Information about how a data subject can access the information stored about them
- The steps that have been taken to protect sensitive personal information
- Information about how consent can be withdrawn
Privacy Audits Under the ITPDCA
Both data controllers and data processors will be required to undergo a privacy audit from a “qualified, objective, independent third party”, once every two years. The purpose of the audit is to assess the controller’s privacy/security practices and to determine whether the security controls they have in place are appropriate for the size and nature of the organization. The privacy audit must be presented on demand to the FTC or a state authority upon request. A summary of the audit must be made publicly available, regardless of the organization’s compliance status.
Exemptions to the ITPDCA
Organizations that process the sensitive information of fewer than 250,000 individuals yearly would be exempt from the audit requirement. Other exemptions include organizations that process sensitive information for the purpose of:
- Preventing or detecting fraud
- Identifying errors that impair functionality
- Protecting the vital interests of consumers
- Responding to subpoenas or valid law enforcement requests
- Enforcing agreements
- Protecting against unauthorized access
- Advancing a substantial public interest, so long as such processing does not create a significant risk of harm
- Authorized uses under the FCRA
- Completing the transaction for which the information was collected
- Complying with laws
- Conducting product recalls or servicing warranties
Private Right of Action
Under the GDPR, data subjects are permitted to pursue a private right of action, although the ability to do so will be subject to the legal framework of the data subject’s country of residence. Under the ITPDCA, there is no private right of action, as enforcement is limited to the FTC and state authorities.
What Steps Should Organizations Take to Comply with the ITPDCA?
As mentioned previously, under the ITPDCA, both data controllers and processors have an obligation to protect sensitive personal information, which includes providing clear details in their privacy notices about how they collect, process, store and share this information. While a complete overview of data security best practices is beyond the scope of this article, there are certain basic provisions that need to be in place in order to fulfill the compliance requirements of the ITPDCA.
Data Discovery & Classification
Organizations collecting sensitive personal information must ensure that they know exactly what information they collect and store and whether the information is considered “sensitive”. Trying to obtain such knowledge manually would not be an efficient approach. Instead, they should use a data discovery and classification solution, which will automatically scan their repositories (both on-premise and “in the cloud”) for any data covered by the ITPDCA.
They will also need to adopt a solution that classifies sensitive data at the point of creation and modification. These days, the most sophisticated real-time auditing solutions provide data classification tools out-of-the-box and cover the most relevant data privacy laws.
Knowing what data you store and where it is located, will make it considerably easier to process opt-in and opt-out requests, as well as implement the security controls necessary to protect the data you are entrusted with.
Organizations will also be required to continuously monitor the sensitive personal information they store, which includes maintaining a detailed and immutable log of all events concerning PII. Anytime PII is accessed, moved, modified, removed, or shared with a third party, the administrator must be able to review the events in real-time via a single console to determine the legitimacy of the actions performed.
As mentioned, both data controllers and data processors are required to undergo privacy audits once every two years. Most real-time auditing solutions are able to generate pre-defined reports, which are customized to meet the requirements of most data privacy regulations, including ITPDCA.
In addition to improving, one’s overall security posture, having the ability to generate reports at the push of a button will make it considerably easier for organizations to demonstrate their compliance efforts to the FTC. It’s also worth noting that most real-time auditing solutions are able to aggregate event data from multiple platforms, both on-premise, and cloud-based.
Given that a cloud service provider would be classified as a data processor, having visibility into how your data is being used in the cloud will put you a step closer to ensuring that the service provider is able to meet their compliance obligations.
Third-Party Risk Assessments
Data controllers are required to carry out due diligence on any third parties (data processors) with whom they share sensitive personal information. This requires carrying out a comprehensive risk assessment of the security controls they have in place, including their privacy notices, consent management procedures, breach notification protocols, and more.