Congress did not write the technical details directly into the law. Instead, PRI‑9905‑S9 delegates the rule‑making authority to the National Privacy Standards Board (NPSB)—a new inter‑agency body chaired by the FTC and co‑led by the Department of Commerce.
The concept originated with the English Parliament’s passage of the Act for Prevention of Frauds and Perjuries in 1677. The act was a response to the courts’ reliance on jury trials, where juries were often manipulated by false oral testimony regarding agreements that never occurred. Modern U.S. law adopts these principles largely through the Uniform Commercial Code (UCC) and state-specific statutes. statute pri9905s9
Q1. Does PRI‑9905‑S9 apply to anonymous data?
A: If the data is truly anonymized—meaning re‑identification is impossible using reasonable means—then the statute does not apply. However, many “anonymous” data sets can be re‑identified; the NPSB recommends treating any data that could be linked to an individual as PII until proven otherwise. Congress did not write the technical details directly
Q2. What about cross‑border data flows?
A: The statute applies to any outbound transmission, regardless of destination. If the receiving jurisdiction imposes stricter privacy standards (e.g., GDPR), you must comply with the stricter regime. Mistyped or Misheard Citation : The user might
Q3. Can a company rely on a third‑party vendor’s compliance certificate?
A: No. The data controller (your organization) remains ultimately responsible. You must verify that the vendor’s processes meet the NPSB standards and obtain a copy of their certificate for your records.
Q4. Are there any exemptions for small businesses?
A: The law includes a “threshold exemption” for entities that process fewer than 5,000 PII records per year and whose annual revenue is under $10 million. However, many small firms still opt to certify voluntarily to gain competitive advantage.
Q5. How does this interact with the upcoming Data‑Transparency Act (DTA) of 2026?
A: The DTA focuses on consumer‑facing transparency and data‑access rights, while PRI‑9905‑S9 tackles how data can be shared safely. In practice, compliance programs should address both statutes simultaneously.