Skip to main content

New Bill Would Create Digital Privacy Agency

Reps. Anna Eshoo (l.) and Zoe Lofgren
Reps. Anna Eshoo (l.) and Zoe Lofgren are co-sponsoring the data privacy legislation. (Image credit: U.S. Congress)

“Once more into the data breach” could be the rallying cry of House Democrats trying once again to come up with federal privacy legislation.

Reps. Anna Eshoo and Zöe Lofgren, both California Democrats, have reintroduced their Online Privacy Act.

The bill is something of a bill of rights for user data, putting “limitations and obligations” on the companies that collect and use data, enforced by a new Digital Privacy Agency.

Among other things, the bill: “Criminalizes doxxing [publishing personal info to harrass or intimidate]; limits companies from using data to build behavioral profiles without consent; exempts small businesses from the most onerous requirements; and prohibits the sale of government records with personal data without consent.”

It includes a carve-out for journalists, making clear reporters can use or disclose personal information for investigative journalism purposes “no differently than they do today,” but that data can be disclosed only if ther are safeguards against it being used for non-journalistic purposes.

The legislators say the bill is new and improved, including adding an Office of Civil Rights to the DPA in a nod to the increased emphasis on digital equity and a recognition that user data can be used to discriminate against minority users.

The DPA would be an independent agency with a director appointed by the president to a five-year term and subject to Senate confirmation. 

The bill would minimize the data that could be collected and bars them from using that data in any discriminatory way. Plus, such collection and use would be opt-in, with companies required to get consent from users.

There is also a version of the eraser button that Sen. Ed Markey (D-Mass.) has been pushing since he was in the House. The bill would give everyone the right to “access, correct or delete their data,” as well as a “right to impermancence,” which allows users to decide how long a company can retain their data.

The bill would strengthen enforcement. In addition to the DPA being able to investigate abuses and enforce rights, states attorneys general would be able to enforce violations of the federal law and individuals would have a right of private action, able to join in class-action suits and have nonprofits represent them in those private actions.