Welcome back to the Identity Theft Resource Center’s Weekly Breach Breakdown – supported by Sentilink. This is the episode for the first week of May 2024 and I’m James Lee, the ITRC’s COO. Each week on this podcast, we look at the most recent events and trends related to data security and privacy.

This week, we going to look at a surprise announcement that Congress may be nearing a compromise on a national privacy and data security law. The key words there are “may” and “nearing.” If our friend William Shakespeare were writing this update, this would be no doubt be Act II, Scene i, because this is just the opening round (scene one) of the second attempt (Act II) in this decade to pass a comprehensive federal privacy law.

Show Notes

Follow on LinkedIn: www.linkedin.com/company/idtheftcenter/
Follow on X: twitter.com/IDTheftCenter

Show Transcript

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for May 3, 2024. Thanks to Sentilink for their support of the podcast and the ITRC. Each week, we look at the most recent events and trends related to data security and privacy. This week, we look at a surprise announcement that Congress may be nearing a compromise on a federal privacy bill. The keywords there are “may” and “nearing.” If our friend William Shakespeare were writing this update, this would no doubt be Act II, Scene i, because this is just the opening round (Scene One) of the second attempt (Act II) in this decade to pass a comprehensive federal privacy bill.

Lawmakers Introduce Federal Privacy Bill

While most of the country was focused on their weekend or the annual Masters golf tournament, Senator Maria Cantwell (WA) and Representative Cathy McMorris Rodgers (WA) announced a bi-partisan agreement to introduce a comprehensive federal privacy bill in the House and the Senate on Sunday, April 7. 

That’s significant for many reasons – the two legislators chair the committees of jurisdiction in both chambers of Congress. Also, the draft that has been circulated represents a major shift from just three years ago on several topics that doomed the last attempt to enact a national privacy law back in 2021.

Federal Privacy Bill Addresses Previously Unresolved Issues

For at least the last 20 years, Congress could not agree on two fundamental issues – should a federal law overrule a state privacy law and should individuals be allowed to sue a company for violating the law independent of a government enforcement action.

The discussion draft circulated recently resolves both issues. The draft states that in order to establish a uniform national standard for privacy protections, most (but not all) state laws would be pre-empted by the federal law, which is not uncommon. That wasn’t much of an issue until California passed its own privacy law in 2018, followed over the last several years by about a dozen other states. Suddenly, privacy protections depended on where you lived – which tends to drive the need for one national standard instead of 50 different sets of regulations.

Enforcement and Key Provisions 

As for enforcement, the draft creates several mechanisms, including under certain circumstances the ability of state officials as well as individuals to file lawsuits to enforce the act.

Other key provisions in the federal privacy bill give consumers more rights to access, seek correction and limit the sale or sharing of their personal information. The new proposal also includes requirements that apply to companies that sell or share personal information known as data brokers while preserving the legitimate use of information for anti-fraud and identity verification purposes.

The draft legislation is referred to as the American Privacy Rights Act (APRA) and also focuses on the concept of data minimization, which we’ve talked about many times on the podcast. The concept is simple – if you don’t need the data, don’t collect it. If you don’t need to keep it, delete it after a transaction is complete. If you do need to keep it, make sure it’s secure. Several other provisions are encouraging from an identity crime victim perspective like requiring regular risk assessments and giving the Federal Trade Commission (FTC) enforcement authority.

Action Not Expected Until At Least 2025

There will be intense debates over this proposed federal privacy bill. There are also not many days left on the legislative calendar in this election year to get things done. A more likely scenario is to have a number of hearings this year that will show where the areas of agreement and disagreement reside. That may yield a bill many of the interested parties can support. However, passage will undoubtedly have to wait for the next Congress that will be seated in 2025.

If you want to learn more about the proposed federal privacy bill APRA, visit the websites of the Senate or House Commerce Committees. 

Contact the ITRC

If you want to know more about how to protect your business or personal information or think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, via text message, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the ITRC and this podcast. We will return next week with another episode of the Weekly Breach Breakdown.

Listen On

Also In Season 5