Information Transparency & Personal Data Control Act

Information Transparency & Personal Data Control Act

This bill requires the Federal Trade Commission (FTC) to establish requirements for certain entities when they collect, transmit, store, process, use, or otherwise control sensitive personal information. Information relating to an identifiable individual is generally considered sensitive personal information. However, information that is publicly available is not considered sensitive.

Specifically, these entities must (1) obtain affirmative consent from users for functionality related to the disclosure of sensitive personal information, (2) publish a privacy and data use policy that is readily understandable, (3) provide users the ability to opt-out of the sharing of their nonsensitive information, and (4) obtain at least once every two years a privacy audit that evaluates the sufficiency of the entity's data privacy and security controls. These requirements do not apply to the collection or sharing of sensitive or nonsensitive personal information for certain purposes such as detecting fraud or identity theft.

The bill provides authority for the FTC and state attorneys general to enforce these requirements.

Additionally, the FTC must hire 500 new employees to focus on privacy and data security.