U.S. Representative Cathy McMorris Rodgers, the Republican leader of the House Energy and Commerce Committee, and U.S. Representative Gus Bilirakis, the Republican leader for the Consumer Protection and Commerce Subcommittee, have submitted the “Control Our Data Act” bill.

Here are some key points:

  • Required privacy disclosure, which also needs to include a summary
  • Required notice at collection
  • Consumer rights including: confirmation (that there is data), access (but information only, not specific pieces), correction, deletion, objection to the use of sensitive information
  • Prior express, separate consent for processing of sensitive information
  • Processing of personal information only allowed if one of 5 justifications (similar to the GDPR legal bases) is found
  • Retention limitation- retain only for as long as necessary for the purpose
  • Privacy by design
  • Required risk assessment (DPIA)
  • Requirements for contracts for third party sharing
  • Required measures for information security
  • Data brokers: requirement for privacy notices, periodic audits and central registry
  • FTC to issue regulations and guidance
  • FTC to conduct a study to determine the most effective method of communicating common privacy practices in short-form privacy statements, graphic icons, or other means
  • Enforcement by the FTC with enhanced penalties

Read a draft of the bill here.