Lawmakers Introduce Sweeping Online Privacy Legislation

Currently, the Federal Trade Commission is the government agency responsible for monitoring privacy violations. But, in response to rising calls to regulate big tech companies, two legislators — Anna Eshoo (D-California) and Zoe Lofgren (D-California) — have sponsored the Online Privacy Act. Among its provisions, the Act would create the Digital Privacy Agency (DPA) to enforce privacy legislation, backed up by 1,600 officials. The size would make it on a par with the Federal Communications Commission.

The Verge reports that the FTC currently “employs only a few dozen people dedicated to violations.” Although concerns about data privacy are bipartisan, few laws have been passed, with the notable exception of the California Consumer Privacy Act (CCPA), “one of the toughest in the country.” Eshoo noted that the DPA would be “stronger than the California law,” and ideally become “the standard for the United States … [offering] the kind of uniformity that I think everyone is looking for without preemption because it is the broadest bill.”

The Online Privacy Act grew out of a privacy bill of rights for users, put together by lawmaker Ro Khanna (D-California) as directed by House Speaker Nancy Pelosi (D-California). The DPA would be similar to Europe’s General Data Protection Regulation in that it “would allow users to access, correct, delete and transfer their data” as well as “have to opt in for companies to use their data in machine learning or AI algorithms.”

Companies would also be required to be “far more transparent about how they handle user data … [and] could not disclose or sell user data without receiving explicit consent or use third-party data to re-identify users.” Also unlawful would be so-called dark patterns that “sway users into consenting to data collection” and the use of targeted ads “based on private messages.”

Under the law, if a breach of personal data occurs, “the affected company would have 72 hours to alert users” and violations of DPA provisions could result in a fine of $42,530 per incident (similar to that now levied by the FTC).

DPA would also allow state attorneys general to bring civil actions and impacted consumers to bring civil suits against specific platforms. It introduces much stricter rules than laws proposed in Congress after the Cambridge Analytica debacle, criminalizing “doxxing or the sharing of personal information without consent.”

“Our country urgently needs a legal framework to protect consumers from the ever-growing data-collection and data-sharing industries that make billions annually off Americans’ personal information,” said Lofgren. “Privacy for online consumers has been nonexistent — and we need to give users control of their personal data by making legitimate changes to business practices.”