On Nov. 5, California Congresswomen Anna G. Eshoo and Zoe Lofgren introduced the Online Privacy Act of 2019, H.R. 4978, to balance the actual needs of businesses with users’ fair privacy rights and expectations. The proposed privacy bill seeks for the United States to adopt many of the requirements of the California Consumer Privacy Act (CCPA), which is effective Jan. 1, 2020, and that exist under the EU’s General Data Protection Regulation (GDPR). Below is a brief summary of the main components of the Act. A copy of the Online Privacy Act can be found here, and a section-by-section analysis by the Congresswomen can be viewed here.

  • Digital Privacy Agency. The Online Privacy Act seeks the establishment of a new federal agency, the Digital Privacy Agency (DPA), with funding for 1,600 employees, to enforce privacy protection and investigate abuses. The DPA could impose maximum damages of $42,540 per incident, consistent with the Federal Trade Commission Act. The proposed legislation would allow state attorneys general to bring civil actions for violations of the Act; individuals to file suit for injunctive or declaratory relief and seek damages individually; and nonprofits to bring class actions on behalf of users.
  • Privacy and Security Requirements for Companies. The proposed bill seeks for companies to adopt various privacy and security requirements, such as: (a) minimizing the data they collect, and employee and contractor access to such data; (b) articulating the reasons for collection, processing, and maintenance of the data; (c) obtaining an individual’s explicit consent to disclose or sell the individual’s personal information; (d) not using private communication such as emails or web traffic for ads or other invasive purposes; (e) having transparent, easy to understand privacy policies and consent processes; and (f) employing reasonable cybersecurity policies.
  • Individual Rights. The proposed federal legislation seeks to provide every American the right to access, correct, delete, and port their personal information. Similar to the GDPR, the bill also seeks for companies to inform individuals of any automated decisions that could have a significant privacy harm on the individual, and permits individuals to request human review of such decision. In addition, a company would need to obtain express affirmative consent from an individual before it would be permitted to use the individual’s personal information for behavioral personalization.

GT will keep you updated on all developments relating to the Online Privacy Act and other proposed state and federal privacy legislation. For more information, please contact Gretchen Ramos or Jonathan Becker.