Two Silicon Valley legislators have introduced a new privacy bill in the House of Representatives that would create an independent privacy agency and place significant restrictions on the kinds and amount of personal data companies can collect and what they can do with that information while they have it.
The Online Privacy Act, introduced Tuesday by Reps. Zoe Lofgren and Anna Eshoo, would establish the Digital Privacy Agency (DPA), a new federal bureau that would have the authority to issue regulations and enforce them through stiff fines. That agency would be the first of its kind in the United States and would centralize the creation and enforcement of privacy regulations, which is currently all over the map.The U.S. does not have a federal privacy law that protects individuals’ rights, though the Federal Trade Commission has some authority to impose fines on companies for certain privacy violations. Under the terms of the proposed bill, the DPA would have the authority to issue fines of up to $42,530 for each individual violation and state attorneys general also would have the authority to bring civil suits against companies that violate the privacy regulations.
The new bill is heavily focused on setting out strict requirements for how companies can collect, use, and transfer individuals’ data. It requires organizations to spell out in plain language why they need to collect specific types of data and to minimize to the greatest extent possible the amount of data they gather, store, and disclose. It also prohibits companies from selling or disclosing personal information without consent, using third-party data to re-identify people, or process data in a way that violates civil rights. The bill requires companies to have easily understandable privacy policies and user consent processes, as well.
The Online Privacy Act includes a number of provisions that give individuals more control over the ways in which their data is used and collected. For example, companies are required to give users a mechanism through which they can correct, delete, and transfer their own data. Individuals also would have the right to decide how long a company can hold their data.
“Our country urgently needs a legal framework to protect consumers from the ever-growing data-collection and data-sharing industries that make billions annually off Americans’ personal information,” said Lofgren.
“Privacy for online consumers has been nonexistent – and we need to give users control of their personal data by making legitimate changes to business practices. The Online Privacy Act creates a robust framework that balances the actual needs of businesses with fair privacy rights and expectations for users.”
"This is the bill that Congress should enact."
The Online Privacy Act joins a crowded field of pending privacy bills at various stages in both the House and the Senate. In October, Sen. Ron Wyden (D-Ore.) introduced his Mind Your Own Business Act, which provides for the creation of a centralized Do Not Track database to allow people to opt out of sharing data with third parties. And last year, a large group of senators introduced the Data Care Act, which has some similarities with the Online Privacy Act, but would give enforcement authority to the FTC. None of those bills, including the Online Privacy Act, would apply to federal government agencies.
Privacy advocates have shown strong support for the creation of a separate privacy agency in the past. In April, the Electronic Privacy Information Center (EPIC) sent a letter to the Senate Committee on Commerce, Science and Transportation urging Congress to create a new independent agency to oversee data privacy. On Tuesday, EPIC officials said the Online Privacy Act hits the right notes for user privacy.
“The bill by Reps. Eshoo and Lofgren sets out strong rights for Internet users, promotes innovation, and establishes a data protection agency. This is the bill that Congress should enact,” EPIC Policy Director Caitriona Fitzgerald said.