After California passed the landmark Consumer Privacy Act, tech executives began looking to Washington for a federal solution that might preempt the California law before it went into effect on January 1, 2020. Yet only recently have we seen any concerted push for action in Washington.
In September, the Internet Association, the leading Washington lobby for global internet companies, declared, “[p]assing comprehensive, federal privacy legislation in the 116th Congress is a top priority for the internet industry.” This week, Federal Trade Commission Chairman Joseph Simons urged Congress to pass privacy legislation, as the FTC has “”done as much as we can do with the tools we have.”
Earlier this month, two senior Silicon Valley Congresswomen Anna Eshoo (D) and Zoe Lofgren (D) introduced H.R. 4978, the “Online Privacy Act of 2019” after consulting with more than 100 academics, businesses, regulators and advocacy groups. The 132-page bill, which does not preempt state privacy legislation, would give users the right to (i) access, correct, delete and transfer data about them; (ii) opt-in consent for using data for machine learning / A.I. algorithms; (iii) to be informed if a covered entity has collected their information; and (iv) choose for how long their data can be kept.
The bill requires that companies (i) minimize employee and contractor access to user data; (ii) not disclose or sell personal information without explicit consent; (iii) not use third-party data to reidentify individuals; (iv) not use private communications, (e.g., emails and web traffic) for ads or other invasive purposes; (v) use objectively understandable privacy policies and consent processes to obtain consent; and (vi) employ reasonable cybersecurity policies to protect user data.
The bill, which also criminalizes doxxing; would be enforced by a new federal Digital Privacy Agency, as well as by state Attorney Generals and by either class actions brought by designated non-profit agencies or individual consumer actions. Small businesses that do not earn revenue from the sale of personal information and that (i) earn half of their annual revenue from targeted advertising, (ii) has personal information of fewer than 250,000 individuals; (iii) has less than 200 employees and (iv) revenue under $10 million would be exempted from the bill’s requirements.
The bill has been praised by privacy groups such as the Electronic Privacy Information Center, while on the industry side the Internet Association commended the sponsors for their “hard work and commitment on this issue” but the U.S. Chamber of Commerce stated that the legislation “compounds the problem of a confusing patchwork of state and federal privacy laws”.
Rep. Lofgren is the second most senior member of the House Judiciary Committee and Rep. Eshoo is the third most senior member of the House Energy & Commerce Committee, which are the two committees with jurisdiction over the bill. No hearings have been set on the legislation.