New Federal Privacy Bill Proposes to Create a Digital Privacy Agency

On November 5, 2019, California Congresswomen Anna Eshoo and Zoe Lofgren, who represent Silicone Valley-area districts, proposed a sweeping new federal privacy bill titled “Online Privacy Act”  (H.R. 4978)

The bill proposes to establish a federal Digital Privacy Agency which, similarly to the European Data Protection Authorities, would enforce users’ privacy rights and ensure compliance with the law.   The proposed agency would be funded for up to 1,600 employees (by comparison, the Federal Trade Commission, a de facto federal privacy agency today, has about 60 staff working on privacy enforcement) and would have the authority to promulgate regulations and issue fines ($42,530 per incident, the same as under the FTC Act).

A proposal to establish an independent federal privacy regulator is particularly notable as earlier proposals merely envisioned expanding the authority and funding of the FTC.  The Online Privacy Act provides that the FTC will retain its authority to enforce privacy laws not in contradiction with the Act.  It’s unclear whether that would include FTC’s authority to enforce Section 5(a) of the FTC Act with respect to privacy-related “unfair and deceptive” practices.

The bill provides individuals with a number of user rights including to:

• access, correct, delete, and transfer data about them;
• request a human review of impactful automated decisions;
• opt-in consent for using data for machine learning / A.I. algorithms;
• be informed if a covered entity has collected personal information; and
• choose for how long their data can be kept (so-called “right to impermanence”).

Companies, in turn, would be required to:

• articulate the need for and minimize the user data they collect and process;
• minimize employee and contractor access to user data;
• not disclose or sell personal information without explicit consent;
• not use third-party data to reidentify individuals;
• not use private communications to create targeted ads;
• not process data in a way that violates civil rights;
• only process genetic information in limited circumstances;
• use objectively understandable privacy policies and consent processes;
• employ reasonable cybersecurity policies; and
• notify the agency and users of data breaches and sharing abuses.

Small businesses would be exempt from some of the requirements under the Act.

In addition to the DPA’s authority to impose penalties, the bill authorizes State Attorneys General to bring civil actions for its violations.  Individuals may sue for declaratory and injunctive relief and bring individual actions for damages. Privacy class actions may be brought by non-profit organizations appointed by harmed individuals and States.

The bill also allows journalists to use or disclose personal information for investigative journalism as long as there are safeguards against using the information for non-journalistic purposes.

The bill appears to be silent on the issue of state law preemption, suggesting that if enacted, it would not supersede the California Consumer Privacy Act or any similar state legislation.