Eshoo, Lofgren Draft Proposal Envisions New Privacy Agency Modeled After CFPB
House Democrats are drafting legislation that would create a U.S. data privacy agency modeled after the Consumer Financial Protection Bureau, according to documents we obtained. The draft framework for the Online Privacy Act from Reps. Anna Eshoo, D-Calif., and Zoe…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Lofgren, D-Calif., (see 1902130058) envisions an independent agency within the executive branch. Authorized with $200 million annually and about 1,600 staff, the U.S. Digital Privacy Agency would be led by a director who could issue rules and orders. The draft includes private rights of action for consumers, a sticking point for Republicans negotiating a privacy bill in the Senate. It doesn't address the issue of state pre-emption, another key point of contention. House Consumer Protection Subcommittee Chair Jan Schakowsky, D-Ill., is leading a separate privacy effort for Democrats. Eshoo and Lofgren requested feedback on the draft through July 12. The new agency’s enforcement authority would be “largely based on Title X of the Dodd-Frank Act,” which established CFPB. The draft dictates that maximum civil financial penalties be based on Section 5 of the FTC Act. The agency could carry out investigations, subpoena testimony or documents, issue civil investigative demands and issue cease and desist notices. State attorneys general could bring civil action under the proposal, but the federal government could intervene. The proposal would require breached entities to notify the agency of data incidents within 72 hours. It targets “any entity that collects or processes personal information” and transmits data over an “electronic network,” including broadband providers. Smaller businesses would be exempt: That includes entities that don’t have revenue from personal data sales, get less than half their annual revenue from targeted advertising, have fewer than 500,000 users, have fewer than 200 employees and have revenue under $10 million. The proposal envisions certain exemptions for data collection on cyber incidents, protection against other malicious behavior and law enforcement activity. It includes consumer rights to data access, correction, deletion, portability, human review of automated decisions, the ability to opt out of targeted content and the ability to be informed. Offices for the lawmakers didn’t comment.