After months of criticism of regulators for having a hard time at Big Tech, a few Democratic legislators announced new legislation that would create a completely new federal agency with the authority to regulate the industry.
Among other provisions, the Online Privacy Act, sponsored by Reps. Anna Eshoo (D-CA) and Zoe Lofgren (D-CA), the Digital Privacy Agency or DPA. That agency would have the authority to issue regulations and impose the privacy rules imposed by legislation. The agency would be funded to employ 1,600 civil servants, making it about the same size as the Federal Communications Commission. The Federal Trade Commission currently regulates privacy in general and employs only a few dozen people who are dedicated to violations.
In the wake of the Facebook Cambridge Analytica scandal, lawmakers on both sides of the aisle took the opportunity to draw up an overarching federal privacy bill. Few of such bills have been transposed into the law, except at the state level. The California Consumer Privacy Act (CCPA) has become one of the country's most difficult and sees Democrats as a minimum standard for future legislation.
"This bill is stronger than California law," Eshoo said in a call with reporters, referring to the CCPA. "This would be the standard for the United States and it would provide the kind of uniformity that I think everyone is looking for without priority because it's the widest bill."
Earlier this year, Speaker Nancy Pelosi (D-CA) wore Rep. Ro Khanna (D-CA) to prepare a privacy right for users. The Online Privacy Act does not support these efforts, codifies certain rights that users have over how their data is collected and used by technology companies. It would give users access to their data, correct it, delete it and transfer it, similar to the European general data protection regulation. Users must also choose that companies use their data for machine learning or AI algorithms. In a call to reporters, the representatives said the measure would allow users to switch the use of algorithmic news feeds, an idea that has already been introduced into the Senate as legislation and something that many critics find alarming.
Companies should be much more transparent about how they handle user data under the Online Privacy Act. Companies could not release or sell user data without explicit permission or use data from third parties to re-identify users. Dark patterns that induce users to consent to data collection would also be prohibited, something that other legislators such as Sens. Mark Warner (D-VA) and Deb Fischer (R-NE) have previously transposed into legislation. It would be illegal to target advertisements based on private messages if this law is also transposed into legislation. If personal data breaches occur, the affected company has 72 hours to warn users and the data protection authority.
If companies violate one of the rules set out in the bill or the rules established by the data protection authority, they may be fined $ 42,530 per incident, which corresponds to how much the FTC act authorizes the agency to search. State Advocates General could take civil action and affected consumers could also initiate civil proceedings against platforms.
The Online Privacy Act goes beyond much of the legislation introduced by Congress in the wake of Facebook's Cambridge Analytica scandal, and even includes some measures to criminalize doxxing or sharing personal information without permission.
"Our country urgently needs a legal framework to protect consumers from the ever-growing data collection and exchange industries that earn billions in personal information from Americans every year," said Rep. Lofgren. "Privacy for online consumers does not exist – and we must give users control over their personal information by making legitimate changes to business practices."