The proposal would grant the FTC, as well as state attorneys general, enforcement authority, and includes civil penalties for violations. It would also preempt any state laws governing consumer data, except for those pertaining to health information, financial information, data on minors and K-12 students, fraud and consumer safety, and state data breach notification laws. It would provide a qualified exemption for entities subject to specified federal privacy and data security laws, such as the Gramm-Leach-Bliley Act (GLB) and the Health Insurance Portability and Accountability Act (HIPAA).
Covered entities are defined under the proposal as any “person that collects, creates, processes, retains, uses, or discloses personal data in or affecting interstate commerce” but would not include federal, state or local government agencies, tribal governments or entities that collect personal data of less than 10,000 persons over a 12-month period. The definition also excludes entities that collect personal data for the purposes of security research, provided such entities take reasonable steps to mitigate privacy risks and destroy or de-identify such data after research activities are concluded.
Finally, the proposal establishes a mechanism whereby a covered entity may apply to the FTC for approval of private “codes of conduct” governing the processing of personal data by the covered entity. If the FTC determines that the private code of conduct provides equal or greater protections than the relevant requirements described above, such codes may serve as a safe harbor defense before any suit brought against the covered entity for alleged violations of the Act.
It is unclear at this time whether a bill with the same or substantially the same language will be introduced in Congress, or if this will serve as a discussion draft to assist in the crafting of legislation as Congress moves forward.