Many have tried, all have failed. But there is a new attempt at establishing a comprehensive US federal privacy law on the horizon. On November 3, 2021, the Republican Energy & Commerce Committee introduced the Control Our Data Act, a comprehensive draft privacy bill to establish national standards for protecting consumers’ data privacy and security in the US.

The draft bill will be guided by four core principles which aim to promote innovation, increase transparency and accountability, and set clear rules for protecting consumers’ data privacy. The draft bill also makes an important distinction between large entities and small to mid-sized entities (SMEs) which aims to protect smaller businesses from undue regulatory burdens, while also introducing stricter requirements for organizations that handle greater quantities of personal information.

Several aspects of the draft bill have a close resemblance to the GDPR including Privacy by Design and risk assessment requirements. The draft bill also includes provisions for the establishment of the Bureau of Consumer Privacy Protection and Data Security. The Bureau will be charged with administering and enforcing data privacy and security laws as well as educating consumers of their rights and providing guidance for organizations.

What are the 4 guiding principles of the Energy & Commerce Committee’s draft privacy bill?

There are four principles for the draft bill that are set out in order to guide the development of the Energy & Commerce Committee’s national privacy framework to protect innovation and data privacy in America.

  1. The internet does not stop at state lines, so why should one state set the standard for the rest of the country? Creating arbitrary barriers to the internet may result in different options, opportunities, and experiences online based on where you live.
  1. A lack of transparency has led to where we are today and any federal bill must ensure people understand how their information is collected, used, and shared. We must also ensure that companies who misuse personal information must be held sufficiently accountable.
  1. Any federal bill must ensure companies are implementing reasonable measures to protect people’s personal information.
  1. We must also protect small businesses and innovation. We know that in Europe, investments in start-ups are down more than 40% since their data protection and privacy law—the General Data Protection Regulation—went into effect. We must guard against a similar situation here. We want small businesses hiring coders and engineers, not lawyers.

What is the difference between Large Entities and SMEs under the draft privacy bill?

The Energy & Commerce Committee’s draft bill makes an important differentiation between larger entities and SMEs to safeguard innovation in small businesses.

The draft bill outlines the following definitions:

Small to Mid-Sized Entity

  • has an annual gross revenue of less than $25 million in assets;
  • collect, use, share the personal information of 50,000 or less individuals; or
  • derive 50% or less of annual revenue from selling consumer information.

Large Entity

  • has an annual gross revenue of more than $25 million in assets;
  • collect, use, share the personal information of 50,000 or more individuals; or
  • derive 50% or more of annual revenue from selling consumer information.

 What are the next steps for the Energy & Commerce Committee’s draft privacy bill?

Members of the Consumer Protection and Commerce Subcommittee will continue to lead the development of the draft bill with each member focusing on specific areas of the framework, including:

  • The creation of a Bureau of Consumer Privacy and Data Security, and how the FTC will implement transparency requirements
  • How “legitimate purpose” is defined for companies, and how companies handle the retention of information
  • Risk assessment and mitigation techniques
  • The need for one national standard and avoiding conflicting regulations
  • Privacy-by-design policies and procedures
  • Categories of sensitive information

As with previous attempts to introduce a federal privacy law in the US, it remains to be seen whether there will be buy-in from both sides of the House to allow this draft bill to move forward. You can stay up to date with all the latest developments on the Energy & Commerce Committee’s draft privacy bill and other news related to federal privacy laws in the US through OneTrust DataGuidance Regulatory Research software. Sign up for a free trial to get started today.

Further reading and resources for US privacy laws:

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on US privacy.