This originally appeared in the RPC Autumn Retail Compass. RPC is a Terralex network firm in the U.K.
The Information Transparency and Personal Data Control Act, if passed into law, will become the USA’s first country wide, comprehensive piece of privacy legislation. This follows California, Colorado, and Virginia and their introduction of state-wide privacy legislation. The bill was introduced to the United States house of representatives in March 2021 and was supported by a number of consumer privacy and technology organizations.
Like the GDPR, the proposed bill will control how sensitive personal data is collected, processed, stored and shared, as well as give additional protections to consumers. It will also provide the Federal Trade Commission (FTC) with rulemaking powers so that they are able to develop further requirements for entities that collect, process, store, share or sell personal information. Most specifically, this includes a responsibility on the data collector/processor to obtain opt-in consent for the collection, sharing or other disclosure of personal information.
The definition of “sensitive personal information” is relatively wide and includes account numbers, genetic data and government issued identifiers (such as social security numbers). However, information that is publicly available as well as employee data will not fall under the definition.
The bill grants enforcement powers to the FTC and state attorneys general but does not include any private right of action. In the event of a violation, the FTC or the state attorney general is required to notify the relevant data controller of the alleged breach and give them 30 days to rectify the breach before commencing enforcement actions.
While retailers have had to ensure compliance with the relevant state regulations, if passed, they will now need to ensure they are compliant across the country. Even before passage, current best practices for retailers include ensuring that they are using plain English for privacy policies, properly documenting their privacy security and data use controls and keeping accurate records of any breaches and the steps taken to rectify them. Furthermore, retailers should make sure that they are obtaining affirmative opt-in consent from consumers allowing them the collect and process their sensitive information as well as disclosing to consumers to whom their information might be shared and for what purpose.