In late June 2022 H.R. 8152 was introduced which seeks to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement. 

What are some of the important aspects of the bill?

According to the Congressional Research Service the bill proposes the following:

Covered Entities. It would apply to most entities, including nonprofits and common carriers. Some entities, such as those defined as large data holders that meet certain thresholds or service providers that use data on behalf of other covered entities, would face different or additional requirements.

Covered Data. It would apply to information that “identifies or is linked or reasonably linkable” to an individual.

Duties of Loyalty. It would impose several duties on covered entities, including requirements to abide by data minimization principles and special protections for certain types of data, such as geolocation information, biometric information, and nonconsensual intimate images.

Transparency. It would require covered entities to disclose, among other things, the type of data they collect, what they use it for, how long they retain it, and whether they make the data accessible to the People’s Republic of China, Russia, Iran, or North Korea.

Consumer Control and Consent. It would give consumers various rights over covered data, including the right to access, correct, and delete their data held by a particular covered entity. It would require covered entities to get a consumer’s affirmative, express consent before using their “sensitive covered data” (defined by a list of sixteen different categories of data). It would further require covered entities to give consumers an opportunity to object before the entity transfers their data to a third party or targets advertising toward them.

Youth Protections. It would create additional data protections for individuals under the age of 17, including a prohibition on targeted advertising, and it would establish a Youth Privacy and Marketing Division at the Federal Trade Commission (FTC).

Third-Party Collecting Entities. It would create specific obligations for third-party collecting entities, which are entities whose main source of revenue comes from processing or transferring data that it does not directly collect from consumers (e.g., data brokers). These entities would have to comply with FTC auditing regulations and, if they collect data above the threshold amount of individuals or devices, would have to register with the FTC.

Civil Rights and Algorithms. It would prohibit most covered entities from using covered data in a way that discriminates on the basis of protected characteristics (such as race, gender, or sexual orientation). It would also require large data holders to conduct algorithm impact assessments. These assessments would need to describe the entity’s steps to mitigate potential harms resulting from its algorithms, among other requirements. Large data holders would be required to submit these assessments to the FTC and make them available to Congress on request.

Data Security: It would require covered entities to adopt data security practices and procedures that are reasonable in light of their size and activities. It would authorize the FTC to issue regulations elaborating on these data security requirements.

Small- and Medium-size Businesses: It would also relieve small- and medium-size businesses from complying with several requirements; for instance, these businesses may respond to a consumer’s request to correct their data by deleting the data, rather than correcting it.

Enforcement. It would be enforceable by the FTC, under that agency’s existing enforcement authorities, and by state attorneys general in civil actions.

Private right of action. It would create a delayed private right of action starting four years after the law’s enactment. Injured individuals would be able to sue covered entities in federal court for damages, injunctions, litigation costs, and attorneys’ fees. Individuals would have to notify the FTC or their state attorney general before bringing suit. Before bringing a suit for injunctive relief or a suit against a small- or medium-size business, individuals would be required to give the violator an opportunity to address the violation.

Preemption. It would generally preempt any state laws that are “covered by the provisions” of the ADPPA or its regulations, although it would expressly preserve sixteen different categories of state laws, including consumer protection laws of general applicability and data breach notification laws. It would also preserve several specific state laws, such as Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act and California’s private right of action for victims of data breaches.

Section by section specifics can be found here. 

We are going to see more privacy proposals on the state and federal level. 

Lanton Law is a national healthcare & technology law and government affairs firm. Our technology practice has been monitoring privacy developments nationwide. If you are a commerce, technology or healthcare/life science stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.