Eshoo, Lofgren Draft Proposal Envisions New Privacy Agency Modeled After CFPB
House Democrats are drafting legislation that would create a U.S. data privacy agency modeled after the Consumer Financial Protection Bureau, according to documents we obtained. The draft framework for the Online Privacy Act from Reps. Anna Eshoo, D-Calif., and Zoe…
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Lofgren, D-Calif., (see 1902130058) envisions an independent agency within the executive branch. Authorized with $200 million annually and about 1,600 staff, the U.S. Digital Privacy Agency would be led by a director who could issue rules and orders. The draft includes private rights of action for consumers, a sticking point for Republicans negotiating a privacy bill in the Senate. It doesn't address the issue of state pre-emption, another key point of contention. House Consumer Protection Subcommittee Chair Jan Schakowsky, D-Ill., is leading a separate privacy effort for Democrats. Eshoo and Lofgren requested feedback on the draft through July 12. The new agency’s enforcement authority would be “largely based on Title X of the Dodd-Frank Act,” which established CFPB. The draft dictates that maximum civil financial penalties be based on Section 5 of the FTC Act. The agency could carry out investigations, subpoena testimony or documents, issue civil investigative demands and issue cease and desist notices. State attorneys general could bring civil action under the proposal, but the federal government could intervene. The proposal would require breached entities to notify the agency of data incidents within 72 hours. It targets “any entity that collects or processes personal information” and transmits data over an “electronic network,” including broadband providers. Smaller businesses would be exempt: That includes entities that don’t have revenue from personal data sales, get less than half their annual revenue from targeted advertising, have fewer than 500,000 users, have fewer than 200 employees and have revenue under $10 million. The proposal envisions certain exemptions for data collection on cyber incidents, protection against other malicious behavior and law enforcement activity. It includes consumer rights to data access, correction, deletion, portability, human review of automated decisions, the ability to opt out of targeted content and the ability to be informed. Offices for the lawmakers didn’t comment.