Category Archives: California Consumer Privacy Protection Act

IAF Releases Model Legislation Summary

The California Consumer Privacy Protection Act went into effect on January 1, and a ballot initiative to update that law is slated for November.  State privacy legislation has been reintroduced in Washington state, and Nevada is following.  Privacy Shield may be overturned by the European Court of Justice, and more countries are adopting legislation that requires adequacy for transfers.  Pressure for the United States to enact comprehensive federal privacy legislation continues to accelerate, and more Congressional committees are trying to determine what type of privacy legislation should be enacted, and what would it take to break the political logjam. 

The United States needs comprehensive federal privacy legislation.  However, it needs privacy legislation that does not look backward to yesterday’s issues, but rather looks forward to the issues that will emerge in the next decade.  With that in mind, the Information Accountability Foundation (IAF) published a model bill in 2019 called the “Fair Accountable Innovative Responsible and Open Processing New Uses that Secure and Ethical Act” or the “Fair and Open Use Act.”  The linked eight-page summary  is a guide to reading the key points in that model legislation.

The model legislation is based on the core principles that organizations must be responsible stewards of data that pertains to people, so the benefits of an information age belong to everyone.  It specifies the FTC as the enforcement and oversight agency and provides the FTC with the mandate and resources to conduct both tasks.  The model bill includes individual rights but does not put the onus on individuals to enforce the law through consent and complaints.  Additionally, the model legislation:

  • Requires risk mitigations through assessments, and links the risk mitigation to five risk bands;
  • Covers all data that is personally impactful, not just personal data;
  • Defines observed and inferred data with an understanding that data is increasingly observed and created, not just collected;
  • Is globally interoperable because it requires that data can be processed only for legitimate purposes and defines those purposes; and
  • Defines the obligations of an accountable organization, and requires the organization to be demonstrably accountable

It is not the IAF’s intent to enact this model legislation; rather the IAF’s intent is to use the model language to inform the legislation that is being written by others.  The IAF wants to work with all stakeholders to enact legislation so that the benefits of the information age belong to everyone, and so that, in today’s data-driven economy, organizations are responsible stewards of personal data and are accountable for their actions.   It is the IAF’s desire to use this summary of the model legislation to open the door to understanding legislation that is first and foremost aimed at responsible use of data that pertains to us by organizations in a demonstrably accountable manner.

Please let us know what you think.