US congressional moderate hopes her privacy proposal heads off state laws

A moderate Democratic US lawmaker is rekindling a push for national privacy legislation with hopes for bipartisan support and warnings that states have seized the initiative on regulating the private sector’s treatment of Americans’ personal data.

Representative Suzan DelBene, the Washington representative who heads the socially liberal and fiscally conservative New Democrat Coalition, today will introduce the Information Transparency and Personal Data Control Act with 15 mostly similarly moderate cosponsors.

Her bill would preempt state laws in favor of a national standard — the lawmaker says she wants to avoid a “patchwork” of state laws — and eschews private right of action. State attorney generals would be empowered to bring civil litigation for violations after coordinating with the Federal Trade Commission.

State lawmakers have signaled they’re unwilling to wait for Congress to act, which puts pressure on federal representatives to act, DelBene said.

Just days ago, Virginia joined California in approving a baseline privacy law for residents. That leaves 48 states without comprehensive privacy law, but lawmakers like DelBene say privacy rights and responsibilities shouldn’t be governed by which side of a state line consumers are on.

“It’s hard for a small business to keep up with a patchwork of laws,” she said. And it matters internationally: “If we’re going to help set global standards, we have to have a domestic policy,” she said. In short, if Congress doesn’t act soon, states will, and that will pose a “challenge for us in terms of trying to rationalize all of that, going forward.”

DelBene’s proposal lands weeks into a new session of Congress where privacy legislation could nonetheless fare no better than during the previous two years. Republicans and Democrats who attempted in 2019 and 2020 to bridge differences over key areas such as preemption of state laws and a private right of action ultimately found themselves at unbreakable loggerheads.

Newly unified Democratic control over the House, Senate and presidency may present an opportunity for some liberal priorities, but the old divisions over privacy are as salient as ever. And the divisions aren't all between left and right: Many progressive Democrats want stronger privacy regulations than DelBene’s proposal offers.

Despite taking a relatively light touch on the private sector, DelBene so far hasn’t attracted Republican support. “I believe this can be bipartisan. This isn’t an issue that’s partisan, per se,” she said during a press availability ahead of the bill’s introduction.

DelBene’s bill would require companies to obtain consumers’ opt-in consent before sharing sensitive personal information with third parties, provided that sharing wasn’t disclosed up front in a privacy and data use policy.

It would require privacy policies to use “plain language” and disclose the purpose behind sharing sensitive personal information and the categories of third parties it’s shared with.

“There may be new services that come up,” DelBene said when asked if the bill would encourage companies to make their privacy policies as broadly encompassing as possible in a bid to head off invoking the consent requirement. “We want to make sure there’s opt-in there.”

Consumers could opt out of having their information shared, but only for information considered non-sensitive. The bill's definition of sensitive information includes health information, geolocation data, sexual orientation or gender identity, as well as web browsing and application usage history.

The bill doesn’t require companies to continue offering service to consumers even should they invoke their opt-in or opt-out rights. Some services require sensitive personal information to operate, DelBene noted. “If you aren’t willing to have someone collect location information, you may not be able to tell them what restaurant is right near them.”

It is possible the FTC would clarify some of the scenarios under which a company properly provides notice and navigates consent requests, DelBene noted. Her proposal authorizes $350 million for the FTC in the expectation it would hire 500 new employees to focus on privacy and data security enforcement and other matters. The agency would use part of that money and staff to promulgate regulations enacting the bill.

Another FTC duty would be to establish qualifications for auditors that companies would come under a mandate to hire every two years if they process the sensitive personal information of more than 250,000 individuals per year.