Congress is taking yet another stab at addressing the near-complete lack of federal laws covering the absolutely massive trove of data that companies now collect on every one of us, which forms the backbone of basically the entirebig techEra.
Representatives Anna Eshoo and Zoe Lofgren, both Democrats from California, introduced the Online Privacy Act today. The act would create a new federal agency, the Digital Privacy Agency, to enforce privacy rights. The act would also authorize the agency to hire up to 1, 600 Employees.
“Every American is vulnerable to privacy violations with few tools to defend themselves. Too often, our private information online is stolen , abused, used for profit, or grossly mishandled, “Eshoo said in a statement. “Our legislation ensures that every American has control over their own data, companies are held accountable, and the government provides tough but fair oversight.”
“Our country urgently needs a legal framework to protect consumers from the ever-growing data-collection and data-sharing industries that make billions annually off Americans’ personal information, “Rep. Lofgren added. “Privacy for online consumers has been nonexistent — and we need to give users control of their personal data by making legitimate changes to business practices.”
The Online Privacy Act
The provisions in the billPDF) would apply to “any entity (including nonprofits and common carriers) that intentionally collects, processes , or maintains personal information AND transmits personal information over an electronic network. “
Under the terms of the OPA, individuals would have the right to obtain, correct, and delete data collected about them by covered entities, as well as to request “a human review” of automated decisions. Users would also have to opt-in to having their personal data used for training machine learning algorithms. They would be able to choose for how long companies retain their data.
The bill distinguishes between aggregated data and personal, identifiable data that istied to an individual, and it places strong limitations on use of the latter. As outlined in a one-page fact sheet, the OPA would:
- articulate the need for and minimize the user data [covered entities] collect, process, disclose, and maintain
- minimize employee and contractor access to user data
- not disclose or sell personal information without explicit consent
- not use third-party data to reidentify individuals
- not use private communications, (eg, emails and Web traffic) for ads or other invasive purposes
- not process data in a way that violates civil rights, eg, employment discrimination
- only process genetic information in limited circumstances
- use objectively understandable privacy policies and consent processes, and may not use ‘dark patterns’ to obtain consent
- employ reasonable cybersecurity policies to protect user data, and
- notify the agency and users of breaches and data-sharing abuses, eg, Cambridge Analytica
The privacy mess
Privacy law in the United States today is a patchwork of regulation, and the end result is basically a hot mess that leaves agencieswith limited authorityto investigate and penalize even egregious abuses of personal data.
Thefederal statutes that existeach cover a specific, limited kind of data and enumerate a specific, limited kind of entity that’s obligated to protect that data. So for example, while your doctor’s office can’t sell information about your diagnoses to a third party,no such limitation applies to appsor wearable devices that collect the same kinds of data.
A handful of states have additional laws on the books. Illinois, for example, adopted a prescient law back in 2008 that regulates the collection and use of individuals’ biometric data. Facebook since 2015 has beenembroiled in a class-action lawsuitin that state over its use of facial recognition.
The biggest player at the state level is California, which in 2018adopted a sweeping privacy lawthat would give individuals more control over how their personal data is collected, used, and sold. That law has survivedseveral attemptsby opponents to weaken its key provisions, and it goes into effect on January 1.
Representatives Eshoo and Lofgren are far from the first to propose new federal legislation to address the morass. In fact, they’re not even the first this year. Sen. Ron Wyden (D-Ore.) Last month introduced theMind Your Own Business Act, which not only seeks to introduce new standards for user privacy and how data is handled, but would also impose criminal penalties, including jail time, on the leadership of companies that fail to comply.
Sen. Marco Rubio (R-Fla.) Also introduced a privacy-related bill earlier this year. HisAmerican Data Dissemination Actwould create a process and timeline for the Federal Trade Commission to establish privacy rules, rather than actually establishing new rules. It would also prohibit any state from enforcing its own law related to the same kinds of data as the federal law, something many big tech companiesstrongly support.