- Democratic Reps. Anna Eshoo and Zoe Lofgren announced the Online Privacy Act as Congress has struggled to agree on specifics of online privacy laws.
- The bill creates a new Digital Privacy Agency that would enforce the law and protect users' privacy rights.
- The bill requires companies disclose why they need to collect and process data, minimize employee and contractor access to user data, not use private communications like email to target ads or "other invasive purposes," among other provisions.
Two congresswomen from Silicon Valley introduced a new online privacy bill Tuesday that proposes creating a federal enforcement agency to protect privacy rights.
Democratic Reps. Anna Eshoo and Zoe Lofgren announced the Online Privacy Act as Congress has struggled to agree on specifics of privacy legislation which both sides largely agree is warranted. The push has hit some speed bumps as representatives clash over details like whether the bill should preempt states' laws and whether individuals should be allowed to sue companies for alleged violations.
Eshoo and Lofgren's new bill proposes the creation of the Digital Privacy Agency (DPA) that would have the power to enforce privacy rights for users and make sure companies follow the law. The independent agency would be funded for up to 1,600 employees and could impose damages up to the same maximum amount as the FTC's, which is $42,530 per incident, according to a fact sheet from the representatives' offices.
"I believe that the FTC lacks the staff, the expertise and the culture to take [this on]." Eshoo said. "This is a monumental task of protecting privacy."
The bill also grants users the right to "access, correct, delete and transfer data about them," and choose for how long a company can keep the data, according to the fact sheet. Users can request "human review of impactful automated decisions." It also requires opt-in consent for users' data to be used for machine learning or artificial intelligence algorithms. It allows individuals to sue for declaratory or injunctive relief, and when not acting collectively, for damages.
For companies, the bill requires they disclose why they need to collect and process data, minimize employee and contractor access to user data, not use private communications like email to target ads or "other invasive purposes," obtain consent to disclose or sell personal information, abstain from using "dark patterns" that can mislead users into providing consent, among other provisions. Companies must also notify the DPA and users if breaches or "data sharing abuses" occur, with Cambridge Analytica provided as an example in the bill's fact sheet.
The bill explicitly provides protections for journalists to "use or disclose personal information for investigative journalism no differently than they do today."
Though the bill's proposals are even stronger than those in California's Consumer Privacy Act is set to go into effect in January, the representatives said it will not preempt state law.
The tough language was on purpose, Lofgren said on a call with reporters Tuesday. The pair thought, "if the representatives in Silicon Valley took a strong stand for privacy rights, then it would be meaningful for the rest of Congress. That's why the bill is as strong as it is," she said.
At the moment, without a national privacy law, California's legislation could effectively become the law of the land if companies decide its easier to make the new regulations a baseline for all of the regions in which they operate. That would be similar to how many companies treated updates they made for Europe's General Data Protection Regulation.
It's unclear yet what it would take for companies to become compliant with Lofgren and Eshoo's bill. An economic impact assessment of the CCPA prepared for California's attorney general estimated it will cost companies a total of $55 billion in initial compliance costs.
But on a call with reporters, the representatives said the bill would create a "marked change" for how companies like Facebook do business due to the limits it places on data collection and use.
Facebook CEO Mark Zuckerberg has been among the tech leaders urging congressional leaders to move forward on federal regulation. Zuckerberg met with several representatives in September to discuss "future internet regulation" in closed door meetings, a Facebook spokesperson said at the time. Federal legislation that preempts state law would presumably be much easier for tech companies that operate in many regions to comply with since it could require they adhere to one general standard.