Online Privacy Bill introduced to the US House of Representatives…Another attempt at providing Federal privacy protections
April 23, 2023 |
In the United States statutory protections of privacy tend to be state based. There have been attempts to pass Federal privacy legislation. The latest attempt is the reintroduction of the Online Privacy Act by Californian Democratic Representatives Anna G Eshoo and Zoe Lofgren. Given Republications control the House of Representatives it will be interesting to see whether it is passed in the House of Representatives. Even if it is not successful it is but the latest in a series of attempts to provide proper nationwide privacy coverage.
The Bill was introduced as part of House Resolution 2701 and described as the Online Privacy Act of 2023 (‘OPA’). The stated intention is to:
- provide for individual rights relating to privacy of personal information,
- establish privacy and security requirements for covered entities relating to personal information,
- establish an agency to be known as the Digital Privacy Agency to enforce such rights and requirements.
The Act would:
- regulate any entity, including non-profits and common carriers, that intentionally collects, processes, or maintains personal information and transmits personal information over an electronic network.
- provide several data subject rights, primarily the right:
- of:
- access,
- rectification,
- deletion,
- portability,
- impermanence which would mandate that organisations may not maintain a category of personal information for longer than expressly consented to by the individual
- to:
- human review of automated decisions,
- to be informed, .
- of:
- impose obligations on organisations being to:
- articulate the need for and minimise the user data they collect, process, disclose, and maintain;
- minimise employee and contractor access to user data;
- not disclose or sell personal information without explicit consent;
- not use third-party data to re-identify individuals;
- not use private communications (e.g. emails and web traffic) for ads or other invasive purposes;
- not process data in a way that violates civil rights (e.g. employment discrimination);
- use objectively understandable privacy policies and consent processes, and not use dark patterns to obtain consent; and
- employ reasonable cybersecurity policies to protect user data.
- create the Digital Privacy Agency (‘DPA’), a federal office. It would have the power to issue regulations and to impose fines of up to $443,792 for each violation.
- also empower State Attorneys General to enforce violations and grant individuals a private right of action.
The press release provides:
Today, U.S. Reps. Anna G. Eshoo (D-CA-16) and Zoe Lofgren (D-CA-18) reintroduced the Online Privacy Act (OPA), comprehensive privacy legislation that creates user data rights, places limitations and obligations on the ability of companies to collect and use user data, and establishes a Digital Privacy Agency (DPA) to enforce privacy laws.
The updated legislation includes several improved provisions and additional privacy protections, including a section that sets the OPA as the federal floor, allowing states to legislate only when state action would provide greater protection than what is in the OPA. The updated legislation also contains a new title that creates a privacy risk management framework and supports privacy education, research, and development.
“Americans’ right to privacy is being grossly disregarded in the digital age. Too often, our private information online is stolen, abused, used for profit, or terribly mishandled,” said Rep. Eshoo. “Our legislation will restore and protect the American people’s right to privacy by ensuring every person has control over their own data, companies are held accountable for privacy intrusions, and the government provides tough but fair enforcement.”
“The Online Privacy Act solves problems by protecting the data of users and setting clear, firm standards for online companies. The bill has received widespread support from consumer rights advocates, civil rights groups, public interest groups, privacy coalitions, nonprofits, think tanks, and academics because it goes to the heart of tech policy issues by disallowing the harmful collection and retention of personal information online. If companies can’t collect data, they can’t use that data to manipulate Americans for profit,” said Rep. Lofgren.
The Online Privacy Act protects individuals, encourages innovation, and restores trust in technology companies by:
-
- Creating User Rights – The bill grants every American the right to access, correct, or delete their data. It also creates new rights, such as the right to impermanence, which lets users decide how long companies can keep their data.
- Placing Clear Limits and Obligations on Companies – The bill minimizes the amount of data companies collect, process, disclose, and maintain, and bars companies from using data in discriminatory ways. Additionally, companies must receive consent from users in plain, simple language.
- Establishing a Digital Privacy Agency (DPA) – The bill establishes an independent agency led by a Director who is appointed by the President and confirmed by the Senate for a six-year term. The DPA will enforce privacy protections and investigate abuses.
- Strengthening Enforcement – The bill empowers state attorneys general to enforce violations of the bill and allows individuals to appoint nonprofits to represent them in private class action lawsuits.
- Setting a Federal Floor – The bill establishes a federal floor of privacy protections for all Americans, allowing states to increase protections or respond to changes in technology and public policy.
- Supporting Privacy Research and Development – The bill directs NIST to establish a privacy risk management framework and carry out research associated with mitigating privacy risk. Additionally, it directs NIST to make competitive awards to institutes of higher education or non-profit organizations to support research around privacy-preserving technologies.