On June 3, 2022, House and Senate leaders released a draft bipartisan bill concerning a new data privacy framework.

An overview of the draft bill’s key provisions includes the following:

  • The bill would apply to “covered data” which is defined as “information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including derived data and unique identifiers.” Covered data excludes de-identified data, employee data, and publicly available information.
  • The bill would apply to “covered entities” which is defined as “any entity or person that collects, processes, or transfers covered data and — (i) is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.); (ii) is a common carrier subject to title II of the Communications Act of 1934 (47 U.S.C. 201–231) as currently enacted or subsequently amended; or (iii) is an organization not organized to carry on business for their own profit or that of their members.” However, the bill contains numerous exemptions such as excluding small businesses. The covered entities would need to minimize the data collected, processed, and transferred and would require individual consent for certain data processing activities.
  • Covered entities would need to implement privacy by design policies as well as publish privacy policies explaining data processing activities.
  • Covered entities could not advertise to individuals under the age of 17.
  • Individuals could access, correct, and delete covered data. Individuals could also opt out of covered data being transferred to third parties and targeted advertising.
  • The Federal Trade Commission (FTC) and State Attorneys General would enforce the legislation.
  • Most state laws would be preempted by this federal law. However, there are several exemptions including the Illinois Biometric Information Privacy Act and the California Privacy Rights Act’s personal information security breach section.
  • The FTC would be able to issue guidance and promulgate rules regarding the bill’s data minimization and consumer request requirements.

For more information regarding the content of this proposed data privacy bill, please visit this link to view the discussion draft.