Reps Eshoo and Lofgren Reintroduce Comprehensive Privacy Legislation

Reps. Anna Eshoo (D-CA) and Zoe Lofgren (D-CA) reintroduced the Online Privacy Act (OPA), comprehensive privacy legislation that creates user data rights, places limitations and obligations on the ability of companies to collect and use user data, and establishes a Digital Privacy Agency (DPA) to enforce privacy laws. The updated legislation includes several improved provisions and additional privacy protections, including a section that sets the OPA as the federal floor, allowing states to legislate only when state action would provide greater protection than what is in the OPA. The updated legislation also contains a new title that creates a privacy risk management framework and supports privacy education, research, and development. The Act protects individuals, encourages innovation, and restores trust in technology companies by:

• Creating User Rights – The bill grants every American the right to access, correct, or delete their data. It also creates new rights, such as the right to impermanence, which lets users decide how long companies can keep their data.
• Placing Clear Limits and Obligations on Companies – The bill minimizes the amount of data companies collect, process, disclose, and maintain, and bars companies from using data in discriminatory ways. Additionally, companies must receive consent from users in plain, simple language.
• Establishing a Digital Privacy Agency (DPA) – The bill establishes an independent agency led by a Director who is appointed by the President and confirmed by the Senate for a six-year term. The DPA will enforce privacy protections and investigate abuses.
• Strengthening Enforcement – The bill empowers state attorneys general to enforce violations of the bill and allows individuals to appoint nonprofits to represent them in private class action lawsuits.
• Setting a Federal Floor – The bill establishes a federal floor of privacy protections for all Americans, allowing states to increase protections or respond to changes in technology and public policy.
• Supporting Privacy Research and Development – The bill directs the National Institute for Standards and Technology (NIST) to establish a privacy risk management framework and carry out research associated with mitigating privacy risk. Additionally, it directs NIST to make competitive awards to institutes of higher education or non-profit organizations to support research around privacy-preserving technologies.