On November 5, 2019, Representatives Anna G. Eshoo (CA) and Zoe Lofgren (CA) introduced the Online Privacy Act (the “Act”), which proposes sweeping legislation that would create federal privacy rights for individuals, require companies to adhere to data minimization and establish a federal Digital Privacy Agency (“DPA”).
The Act would provide users with a broad panoply of rights with respect to their personal information, including rights to (1) access, correct, delete and transfer their personal information, (2) request a review of automated decisions by a person, (3) express their opt-in consent to use their information by artificial intelligence, and (4) choose the retention period for their personal information.
Under the Act, companies must generally comply with data minimization requirements and must also not (1) disclose or sell personal information without explicit opt-in consent, (2) attempt to re-identify individuals through information obtained from third parties, (3) use emails and web browsing for “invasive purposes,” and (4) process personal information in a manner that violates discrimination laws or individuals’ civil rights.
The Act would establish a DPA with funding for approximately 1,600 employees, which is a major shift away from FTC enforcement in the privacy arena. The DPA would be empowered to issue regulations to implement the provisions of the Act and would be granted enforcement power along with state attorneys general. The Act would permit individuals to sue for declaratory or injunctive relief or grant them the power to appoint nonprofit organizations to sue for monetary damages.
In announcing the Act, Representative Eshoo noted that the Act “ensures that every American has control over their own data, companies are held accountable, and the government provides tough but fair oversight,” while Representative Lofgren stated that, “The Online Privacy Act creates a robust framework that balances the actual needs of businesses with fair privacy rights and expectations for users.”