In late June 2022 H.R. 8152 was introduced which seeks to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement. 

What are some of the important aspects of the bill?

According to the Congressional Research Service the bill proposes the following:

Covered Entities. It would apply to most entities, including nonprofits and common carriers. Some entities, such as those defined as large data holders that meet certain thresholds or service providers that use data on behalf of other covered entities, would face different or additional requirements.

Covered Data. It would apply to information that “identifies or is linked or reasonably linkable” to an individual.

Duties of Loyalty. It would impose several duties on covered entities, including requirements to abide by data minimization principles and special protections for certain types of data, such as geolocation information, biometric information, and nonconsensual intimate images.

Transparency. It would require covered entities to disclose, among other things, the type of data they collect, what they use it for, how long they retain it, and whether they make the data accessible to the People’s Republic of China, Russia, Iran, or North Korea.

Consumer Control and Consent. It would give consumers various rights over covered data, including the right to access, correct, and delete their data held by a particular covered entity. It would require covered entities to get a consumer’s affirmative, express consent before using their “sensitive covered data” (defined by a list of sixteen different categories of data). It would further require covered entities to give consumers an opportunity to object before the entity transfers their data to a third party or targets advertising toward them.

Youth Protections. It would create additional data protections for individuals under the age of 17, including a prohibition on targeted advertising, and it would establish a Youth Privacy and Marketing Division at the Federal Trade Commission (FTC).

Third-Party Collecting Entities. It would create specific obligations for third-party collecting entities, which are entities whose main source of revenue comes from processing or transferring data that it does not directly collect from consumers (e.g., data brokers). These entities would have to comply with FTC auditing regulations and, if they collect data above the threshold amount of individuals or devices, would have to register with the FTC.

Civil Rights and Algorithms. It would prohibit most covered entities from using covered data in a way that discriminates on the basis of protected characteristics (such as race, gender, or sexual orientation). It would also require large data holders to conduct algorithm impact assessments. These assessments would need to describe the entity’s steps to mitigate potential harms resulting from its algorithms, among other requirements. Large data holders would be required to submit these assessments to the FTC and make them available to Congress on request.

Data Security: It would require covered entities to adopt data security practices and procedures that are reasonable in light of their size and activities. It would authorize the FTC to issue regulations elaborating on these data security requirements.

Small- and Medium-size Businesses: It would also relieve small- and medium-size businesses from complying with several requirements; for instance, these businesses may respond to a consumer’s request to correct their data by deleting the data, rather than correcting it.

Enforcement. It would be enforceable by the FTC, under that agency’s existing enforcement authorities, and by state attorneys general in civil actions.

Private right of action. It would create a delayed private right of action starting four years after the law’s enactment. Injured individuals would be able to sue covered entities in federal court for damages, injunctions, litigation costs, and attorneys’ fees. Individuals would have to notify the FTC or their state attorney general before bringing suit. Before bringing a suit for injunctive relief or a suit against a small- or medium-size business, individuals would be required to give the violator an opportunity to address the violation.

Preemption. It would generally preempt any state laws that are “covered by the provisions” of the ADPPA or its regulations, although it would expressly preserve sixteen different categories of state laws, including consumer protection laws of general applicability and data breach notification laws. It would also preserve several specific state laws, such as Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act and California’s private right of action for victims of data breaches.

Section by section specifics can be found here. 

We are going to see more privacy proposals on the state and federal level. 

Lanton Law is a national healthcare & technology law and government affairs firm. Our technology practice has been monitoring privacy developments nationwide. If you are a commerce, technology or healthcare/life science stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

No matter what, technology will always move faster than the law. With this maxim and our ever increasing reliance on convenient information, we have seen technology companies try to bring us what we want to see while also collecting a staggering amount of information on consumers. With regulations scant on personal data, Congress is slowly becoming more active in making policy governing technology. 

In November 2019, Congresswomen Anna G. Eshoo (D-CA) and Zoe Lofgren (D-CA) introduced the Online Privacy Act of 2019 (H.R. 4978). According to the sponsors, the bill proposes to strengthen user rights, places obligations on companies to protect users’ data, establishes a new federal agency to enforce privacy protections, and strengthens enforcement of privacy law violations.  

The sponsors press release discussed the following points which are highlights of the bill: 

• Creating User Rights – The bill grants every American the right to access, correct, or delete their data. It also creates new rights, like the right to impermanence, which lets users decide how long companies can keep their data.

• Placing Clear Obligations on Companies – The bill minimizes the amount of data companies collect, process, disclose, and maintain, and bars companies from using data in discriminatory ways. Additionally, companies must receive consent from users in plain, simple language.

• Establishing a Digital Privacy Agency (DPA) – The bill establishes an independent agency led by a Director that’s appointed by the President and confirmed by the Senate for a five-year term. The DPA will enforce privacy protections and investigate abuses.

• Strengthening Enforcement – The bill empowers state attorneys general to enforce violations of the bill and allows individuals to appoint nonprofits to represent them in private class action lawsuits.

 With so many controversies surrounding the use and rights of consumer data, we fully expect more government oversight into technology. If you are a technology stakeholder and you are interested in learning more about emerging policy or understanding potential risks to your business model contact us for legal or government affairs solutions at Lanton Law.