The first section of the Act sets out the basic right to data portability. Any customer, subscriber, or user of a service has the right to receive (download) and transmit a copy of their data directly to another company of that person’s choosing. The list of types of data is further explained below.

The language aims to capture and improve upon other portability requirements. As noted above, at least two laws currently require data portability. The GDPR grants “data subjects” the right to transmit data from one “data controller” to another whenever technically feasible. The CCPA requires a “business” to deliver “portable” data to “consumers” requesting access.Both require the information to be in a usable format that allows for easy transmittal, and information must be transmitted “without hindrance.” Further, the Dodd Frank Wall Street Reform and Consumer Protection Act provides an analogous right to portability of consumer financial data.

In the Data Portability Act, the data portability requirement applies to “covered entities” (or “companies” herein) broadly. Like in the GDPR and the CCPA, a federal data portability requirement should apply to all online companies that process (collect, use, or otherwise handle) personal data. If a company collects data about its customers, subscribers, or users, those people should be able to port that data to another service. This requirement should also apply to small businesses, though the Act incorporates a safety valve in its list of exceptions that would not impose the requirement on small companies that collect and store data, but do not attribute that data to a particular customer, subscriber, or user.

Our definition of the rightsholder, while drafted broadly, is narrower than that of other laws. The CCPA grants portability to the “consumer,” meaning every natural person in California. The GDPR grants portability to the “data subject,” meaning any identified or identifiable natural person. The Data Portability Act grants the right to the “customer, subscriber, or user,” which requires that the person exercising the right has some kind of relationship with a certain company. Having a broader definition of user or applying the right to all natural persons may create more privacy problems—the law should not force a company to attach identifying information to data that it would not otherwise identify simply to facilitate its portability (see further discussion in the exceptions section below).

This definition of rightsholder will likely mean that data brokers, because they collect data about people from other sources, will not have to comply with the portability requirement as written. We do not intend to downplay the unique concerns associated with data brokers—in fact, data brokers should be subject to their own privacy obligations beyond a mere registry. But given a data broker’s increased difficulty in authenticating identity and concerns related to a company potentially having to attach an identity to unidentified data, the Act requires rightsholders to have a relationship with the company before they have a right to transmit data.[3]

Within the data portability right is the right to “receive,” or download, data. The Act, in general, requires that companies establish a mechanism to export data, but does not require a company to import data or impose any requirements on importing data. One service may require a person to download a copy of their data from another service rather than allow for direct transmittal between services. In this way, the right to “receive” data in this Act could be viewed as a right of access (a different user right) to data held by a company about a rightsholder. The proper scope of a right of access is beyond the subject matter of this memo, except to say that data that is portable should also be accessible to the rightsholder. Therefore, in addition to a direct transmittal to another service, the data portability right allows for a direct download.

The Act requires that a “copy” of the data be downloaded or transmitted to another company. The transmitting company is not required to delete the data it holds on the rightsholder when it transmits that data. That said, in comprehensive privacy legislation, a person would likely also have the right to have their information deleted from the transmitting service if they so desire, which could be encapsulated in a separate “right to deletion” of data.

Last, by default the Act assumes that any data “within the possession or control” of the company is portable. Thus, any data stored on a company’s servers, or stored in a way that the company has the ability to process that data, regardless of the source of that data, is susceptible to the portability right.

Covered types of data

The Act broadly defines the five types of data that should be portable: data the rightsholder provides to the company, data the rightsholder has access to and was collaboratively or jointly created, data about the rightsholder that was collected by the company through the normal use of the company’s service, data inferred about the rightsholder through analyzing other information, and data about the social connections (if any) that the rightsholder has accumulated through their use of the service.