Congress is taking yet another stab at addressing the near-complete lack of federal laws covering the absolutely massive trove of data that companies now collect on every one of us, which forms the backbone of basically the entire big tech era.
Representatives Anna Eshoo and Zoe Lofgren, both Democrats from California, introduced the Online Privacy Act today. The act would create a new federal agency, the Digital Privacy Agency, to enforce privacy rights. The act would also authorize the agency to hire up to 1,600 employees.
"Every American is vulnerable to privacy violations with few tools to defend themselves. Too often, our private information online is stolen, abused, used for profit, or grossly mishandled," Eshoo said in a statement. "Our legislation ensures that every American has control over their own data, companies are held accountable, and the government provides tough but fair oversight."
"Our country urgently needs a legal framework to protect consumers from the ever-growing data-collection and data-sharing industries that make billions annually off Americans' personal information," Rep. Lofgren added. "Privacy for online consumers has been nonexistent—and we need to give users control of their personal data by making legitimate changes to business practices."
The Online Privacy Act
The provisions in the bill (PDF) would apply to "any entity (including nonprofits and common carriers) that intentionally collects, processes, or maintains personal information AND transmits personal information over an electronic network."
Under the terms of the OPA, individuals would have the right to obtain, correct, and delete data collected about them by covered entities, as well as to request "a human review" of automated decisions. Users would also have to opt-in to having their personal data used for training machine learning algorithms. They would be able to choose for how long companies retain their data.
The bill distinguishes between aggregated data and personal, identifiable data that is tied to an individual, and it places strong limitations on use of the latter. As outlined in a one-page fact sheet, the OPA would:
- articulate the need for and minimize the user data [covered entities] collect, process, disclose, and maintain
- minimize employee and contractor access to user data
- not disclose or sell personal information without explicit consent
- not use third-party data to reidentify individuals
- not use private communications, (e.g., emails and Web traffic) for ads or other invasive purposes
- not process data in a way that violates civil rights, e.g., employment discrimination
- only process genetic information in limited circumstances
- use objectively understandable privacy policies and consent processes, and may not use 'dark patterns' to obtain consent
- employ reasonable cybersecurity policies to protect user data, and
- notify the agency and users of breaches and data-sharing abuses, e.g., Cambridge Analytica
The privacy mess
Privacy law in the United States today is a patchwork of regulation, and the end result is basically a hot mess that leaves agencies with limited authority to investigate and penalize even egregious abuses of personal data.
The federal statutes that exist each cover a specific, limited kind of data and enumerate a specific, limited kind of entity that's obligated to protect that data. So for example, while your doctor's office can't sell information about your diagnoses to a third party, no such limitation applies to apps or wearable devices that collect the same kinds of data.
A handful of states have additional laws on the books. Illinois, for example, adopted a prescient law back in 2008 that regulates the collection and use of individuals' biometric data. Facebook since 2015 has been Read More – Source