Senator Gillibrand (D-NY) proposed to broaden the class of data that deems privacy protection and to transfer the power of enforcing federal privacy laws from the Federal Trade Commission (FTC) to the Data Privacy Agency (DPA), a federal agency this bill would newly establish in the executive branch. The DPA would become the main privacy watchdog meant, according to the bill, to “protect individuals’ privacy and limit the collection, disclosure, processing, and misuse of individuals’ personal data.”
The DPA Will Oversee Personal Information and Behavioral Data Practices
The proposed scope of “personal data” would expand current protection. The term currently indicates personally identifiable information (PII) — identifiers like names and social security numbers; biometric information like photos or fingerprints; and information on property, financial assets, employment, medical history, and education.
The bill explicitly adds internet activity (“browsing history, search history, content, and information regarding and individuals’ interaction with an internet website, mobile application, or advertisement”) and commercial information (products and services purchased as well as those considered for purchase), i.e., behavioral data heavily used in online marketing.
The bill also protects any inference on individual characteristics drawn from personal data. If a firm guesses individual income based on one’s education and address, for example, that income guess will also be considered personal data and as such protected under this bill.
DPA Will Have Litigation Power to Enforce Federal Privacy Laws
In an effort to promote government efficiency and eliminate duplications, the DPA will enforce federal privacy laws regulating:
Currently, these laws are enforced by the FTC except for the protection of health personal information, housed under the Department of Health and Human Services.
For any violation of these federal privacy laws by any entity that “collects, processes, or otherwise obtains personal data” other than for personal use, the DPA can commence civil action and request relief for the victims. Civil damages are based on the gravity of the violation and can reach up to $1 million per day.
The DPA Will Supervise Firms to Ensure Privacy Compliance
The DPA must actively supervise large firms and firms whose core business is distributing personal data on a large scale to assess compliance with privacy laws and to oversee “high-risk data practices” — practices that involve the “systematic or extensive evaluation of personal data” through automated systems, that involve sensitive data (e.g., genetic data, race, gender, sexual orientation) or data from vulnerable groups (like children). Investigations can also be solicited by users through formal complaints that the DPA needs to collect and timely address.
DPA’s Rulemaking Authority Against Unfair and Deceptive Practices
The DPA can take action against unlawful, unfair, or deceptive acts or practices “in connection with the collection, disclosure, processing, and misuse of personal data.” Yet, the bill leaves to DPA’s own future regulation to formally define “unfair and deceptive” practices and outline how to prevent them.
DPA’s regulation also needs to address high-risk data processing practices, consumer scoring practices that limit individual rights or access to services, and ensuring fair contract terms, “including the prohibition of 'pay-for-privacy provisions' and 'take-it-or-leave-it' terms of service”.
Multiple Proposals for a Data Privacy Watchdog
The bill comes at a time when the largest tech companies — Alphabet, Amazon, Apple and Microsoft — are estimated to be worth more than a trillion dollars each, according to The Economist. Consumers seem to be increasingly concerned about privacy, yet unwilling to pay for it in a market setting. Instead they increasingly rely on government regulation to protect their personal information. Similarly, companies welcome regulation that is clear and uniform across jurisdictions.
The FTC has been amply criticized for its alleged ineffectiveness in protecting individual data privacy and discouraging misuse of private information. Multiple bills have been proposed in the 116th Congress (2019–2020) trying to strengthen federal privacy protection, either under the umbrella of the FTC, like the Information Transparency and Personal Data Control Act and the Mind Your Own Business Act, or under a version of the DPA as it was first proposed in the Online Privacy Act. None of these bills have advanced in the legislative process. As of March 2020, the Data Privacy Act is not supported by any cosponsor.