

Reps Anna Eshoo [D-CA] and Zoe Lofgren [D-CA] have introduced HR 4978, the "Online Privacy Act," which is a comprehensive set of federal rules for privacy, interoperability, and protection from algorithmic discrimination and manipulation.



It's a big bill (132 pages!) and even the summary is an intense read, so I've only skimmed it. Based on that, I'm cautiously optimistic about it: the interoperability section (p26-30) tried to thread a bunch of difficult needles, including defining which companies are big enough to warrant interoperability mandates, both ongoing and one-time access to user data, and how privacy protections co-exist with interoperability obligations.





However, my cursory read leaves me concerned that much of the obligations on companies and rights for users have exceptions that are loosely defined — companies have to do things that are "reasonable," or "proportionate" or "necessary," and it's not hard to see how that could be distorted into some vast loopholes.





That said, Lofgren is a seasoned legislator with a good track record — she co-sponsored "Aaron's Law", which would have reformed the parts of the Computer Fraud and Abuse Act that were used to unjustly target Aaron Swartz and threaten him with a lengthy prison sentence, which led to his suicide in 2013.





The one-pager gives a good overview of all the things this bill is trying to do. It's an impressive attempt at sweeping reform, sort of a Sarbanes-Oxley for Big Tech, but like Sarbanes-Oxley, any bill this complicated has lots of room for mischief, amendment, and unintended consequences. There are a ton of legislative analysts poring over this right now and I'm really looking forward to reading what they have to say about it.

* Digital Privacy Agency (DPA). The bill creates a new federal agency to enforceusers' privacy rights and ensure companies follow the law. While unique for the U.S., this wouldbenot the only privacy agency in existence. Every E.U. countryhas a privacy agency,and a California ballot initiative is proposing a new state agency. The DPA would be an independent agency with funding for up to 1,600 employees. * User Rights.The bill gives users the right to:



* access, correct, delete, and transfer data about them;



* request a human review of impactful automated decisions;



* opt-inconsent for using data for machine learning/A.I.algorithms;



* be informed if a covered entity has collected your information; and



* choose for how long their data can be kept. * Company Obligations. Companies must:



* articulate the need for and minimize the user data they collect, process, disclose, and maintain;



* minimize employee and contractor access to user data;



* not disclose or sell personal information without explicit consent;



* not use third-party data to reidentify individuals;



* not use private communications, (e.g., emails and web traffic) for ads or other invasive purposes;



* not process data in a way that violates civil rights, e.g., employment discrimination;



* only process genetic information in limited circumstances;



* use objectively understandable privacy policies and consent processes, and may not use 'dark patterns' to obtain consent;



* employ reasonable cybersecurity policies to protect user data; and



* notify the agency and users of breaches and data sharing abuses, e.g., Cambridge Analytica. * Enforcement



* The DPA can issue regulations to implement this bill and issue fines forviolations.



* The max money damage is the same as the FTC Act's max ($42,530 per incident).



* State attorneys general may also bring civil actions for violations of this bill.



* Individuals may sue for declaratory or injunctive relief; individuals (not acting collectively) may sue for damages.



* Harmed individuals and States may appoint nonprofits to bring collective,private civilactions for damages on behalf of users. * Protections for Journalists.



* Expressly allows journalists to use or disclose personal information for investigative journalism no differently than they do today. This applies so long as there are safeguards against using the information for non-journalistic purposes. * Additional Provisions. The bill criminalizes doxxing; limits companies from using data to build behavioral profiles without consent; exempts small businesses from the most onerous requirements; prohibits the sale of government records with personal data without consent,and creates an Open Source Machine Learning Training Data Grant Program.



Eshoo & Lofgren Introduce the Online Privacy Act [Anna Eshoo/US Congress]