U.S. Senator Gillibrand (D-NY) issued a press release announcing the Data Protection Act of 2021, which would create the DPA, an independent federal agency whose goal is to protect Americans’ data, instill privacy safeguards and work to ensure that there is transparency in data sharing practices. 

There have been some changes to this proposed legislation since last year’s version of the bill. These changes include:

• Supervision of Data Aggregators: Grants the DPA authority to review Big Tech mergers involving a large data aggregator, or any merger that proposes the transfer of personal data of 50,000 or more individuals.

• Office of Civil Rights: Establishes the DPA Office of Civil Rights to advance data justice and protect individuals from discrimination. 

• Enforcement Powers: Improves DPA enforcement powers to oversee the use of high-risk data practices and to penalize, examine, and propose remedies to the social, ethical, and economic impacts of data collection.

• Penalties and Fines: Prohibits data aggregators from committing any unlawful, unfair, deceptive, abusive, or discriminatory data practices; and allows for penalties and fines to be levied if violated, including triple penalties for violations against children.

• Defines Key Terms for Transparency: Provides Key Definitions for Privacy Harm, Data Aggregators, and High-Risk Data Practice, among other key terms.

According to the release “The DPA would be an executive agency. The director would be appointed by the president and confirmed by the Senate, serves a 5-year term, and must have knowledge of technology, protection of personal data, civil rights, and law. The agency may investigate, subpoena for testimony or documents, and issue civil investigative demands. It may prescribe rules and issue orders and guidance as is necessary to carry out federal privacy laws. The authority of state agencies and state attorneys general are preserved in the Act. The DPA would have three core missions:

1. Give Americans control and protection over their own data by authorizing the DPA to create and enforce data protection rules. 

2. Maintain the most innovative, successful tech sector in the world by ensuring fair competition within the digital marketplace. 

3. Prepare the American government for the digital age.”

Lanton Law’s technology practice has been monitoring privacy developments nationwide. If you are a banking/finance, technology or healthcare/life science stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

The New York State legislature has introduced Assembly Bill 27, which seeks to make New York the fourth state to enact a biometric privacy law. If successful it will be the second state that will allow consumers a private right of action to see companies for improper data handling. 

New York is definitely taking its cue from Illinois, as that state became the first to require businesses to collect biometric data to provide notice and obtain the owner’s written consent prior to using this information. We have written about the Illinois Information Privacy Act or (BIPA) in a previous post. 

The New York proposal seeks to do the following: 

Establishes the biometric privacy act; requires private entities in possession of biometric identifiers or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first. 

New York has enacted facial recognition laws in the past. In December 2020 Governor Cuomo released a press statement where he signed A6787-D/S5140-B into law that suspended “the use of facial recognition technology and other kinds of biometric technology in schools, directing a study of whether its use is appropriate in schools and issuing recommendations. The legislation places a moratorium on schools purchasing and using biometric identifying technology until at least July 1, 2022 or until the report is completed and the State Education Commissioner authorizes its use, whichever occurs later. It applies to both public and private schools in New York State.” 

Proposed Assembly Bill 27 shows that New York will continue to press forward in this area and will likely inspire other states. If you are a biometric, Health IT/digital health or technology stakeholder, your interests will be impacted.    

Lanton Law is a national boutique law and lobbying firm that focuses on healthcare/life sciences and technology. Contact us today to learn about your organization’s options to prepare for additional regulatory oversight.