On November 5, two Silicon Valley congresswomen – Democratic representatives Anna G. Eshoo of Palo Alto and Zoe Lofgen of San Jose – introduced a new bill called the Online Privacy Act. While the Online Privacy Act still needs to pass a vote in both the House and Senate before it can be officially signed into law, it is yet more proof that a federal privacy law could be coming to the United States as early as next year. According to the two backers of the Online Privacy Act, it will be more stringent than the California Consumer Privacy Act (CCPA), which will go into effect on January 1, 2020.
Details of the new federal privacy law
In many ways, the new federal privacy law is modeled on the European General Data Protection Regulation (GDPR), which solidified privacy as a fundamental right of all European citizens. Similar to the GDPR, the new Online Privacy Act establishes a strong set of user rights, provides for significant penalties in the event of a privacy violation, and outlines new privacy obligations of companies. For example, the new federal privacy law would not allow tech companies to use private communications like email to target ads (as in the case of Google showing ads within Gmail based on topics in emails). And the new federal privacy law would require data minimization from companies.
According to the two congresswomen, the new federal privacy law would fundamentally change the way companies such as Facebook, Apple and Google do business. These companies would be limited in the use, collection and sharing of personal information. If there were not an explicit business need to collect and store information, then they would be barred from collecting personal data. The goal of the new federal privacy law is to ensure that all Americans have control over their data and that all companies are held accountable for their actions. With passage of the law, Americans would be able to access, correct, delete and transfer data in such a way that respects their right to privacy.
Creation of a Digital Privacy Agency
One of the most interesting features of the new bill is the creation of a new privacy authority known as the Digital Privacy Agency. This would be a standalone federal agency that has both rulemaking and enforcement authority. The director of the Digital Privacy Agency would be appointed by the president of the United States – a fact that would automatically give the agency significant heft and clout on the national political stage. As the bill’s two co-sponsors see it, the new DPA would act much like the privacy authorities across Europe, which have been entrusted with protecting the right to privacy. It would also work closely with state attorneys general on enforcement actions.
The establishment of the Digital Privacy Agency could be controversial because the new agency would supplant the Federal Trade Commission (FTC) as the go-to federal agency for all privacy-related enforcement actions. Right now, the FTC only has a limited number of staff members working on privacy enforcement actions, but the new DPA would have authority to hire 1,600 employees. According to the two Silicon Valley representative, the current FTC is “toothless” in its ability to punish big tech companies, handing out the equivalent of “parking tickets” to big companies like Facebook. Under the new federal privacy law, the new DPA would be able to fine companies up to a maximum of $42,530 per incident. Potentially, then, a big tech company with tens of millions of users could be facing massive fines if found guilty of privacy violations.
New features in the Online Privacy Act
The 132-page bill also includes a number of innovative and relevant remedies for current issues facing the digital world. For example, given how frequently big tech companies are using personal data and personal information to “train” artificial intelligence (AI) and machine learning algorithms, the new Online Privacy Act would require opt-in consent for any use of personal data in this manner. Thus, a big Silicon Valley giant like Google would not be able to acquire a massive new database of health data (as it recently did via a partnership with the Ascension health system) and automatically go to work, using that data to train its AI algorithms. Instead, the company would first have to obtain the explicit consent of all individuals in the data set.
In addition, the new federal privacy law forbids companies from using “dark patterns” that mislead consumers into providing consent for their personal data being used in unanticipated way. The new federal privacy law would also enable human review of impactful automated decisions. Thus, you couldn’t be turned down for a financial loan or health insurance coverage by a machine – a human would have to review the final outcome. The new federal privacy law also criminalizes “doxxing.” And, notably, the new federal privacy law would create a new right – the “right to impermanence.” This means that users would be able to decide how long companies keep their data.
Problems with the new federal privacy law
While the new Online Privacy Act skillfully balances the very best features of both the General Data Protection Regulation and the CCPA, that is not to say that the federal privacy law is not without its problems. For example, as currently written, the Online Privacy Act would not preempt state law. In other words, if a state like California already has a privacy law in place, then the state could choose to apply its own law rather than the federal law. This is problematic because it means the new federal privacy law doesn’t really solve the “patchwork quilt” problem of 50 different states with 50 different privacy laws.
Moreover, a big sticking point with the new OPA is almost certain to be the ability of both individuals and classes of individuals to take legal action against big tech companies. The new federal privacy law, if enacted, would allow the private right of action and also make it much easier for nonprofit privacy foundations to file class action lawsuits on behalf of aggrieved users. As big tech companies see it, that would provide some very negative incentives for so-called “privacy trolls” to harass deep-pocketed tech companies over both real and imagined privacy violations.
Overall, however, the new Online Privacy Act is an important step forward in creating a federal privacy law that is as comprehensive and far-reaching as the GDPR. The fact that the two sponsors of the bill are from Silicon Valley is also another big selling point, since it shows how serious and well-thought out the new legislation is. Obviously, the two congresswomen have heard plenty from their constituents – many of them tech workers – and have a very good idea of how to balance privacy concerns with the proper business incentives for tech companies. Now that the CCPA is set to go into effect in 2020, the momentum is building for the inevitable introduction of a new federal privacy law for the United States as soon as next year.