On February 12, 2020, Senator Kirsten Gillibrand (D-NY) announced a plan to create a new Data Protection Agency through her proposed legislation, the Data Protection Act of 2020 (S.3300).

Under the proposal, the new agency would replace the Federal Trade Commission (FTC) as the “privacy cop on the beat.”  As such, the FTC’s current authority in the privacy space—including its ability to draft guidelines, conduct studies, and issue implementing regulations for certain federal privacy laws, would be transferred to the new agency.

As opposed to the Online Privacy Act, a bill introduced by Representatives Anna Eshoo (D-CA-18) and Zoe Lofgren (D-CA-19) that also would create a new privacy agency, Sen. Gillibrand’s bill would not create a new omnibus federal privacy law.  Instead, it is focused on the creation of the Data Protection Agency and its rulemaking authority.  However, various aspects of the new agency’s authority provide valuable insights into what privacy regulation at the federal level might look like under the bill.

For example, one of the most notable aspects of the proposed agency is its involvement in overseeing “high-risk data practices.”  “High-risk data practices” include “systematic or extensive evaluation[s] of personal data that [are] based on automated processing . . . on which decisions are based that produce legal effects concerning [an] individual or household;” “any processing of biometric data for the purpose of uniquely identifying an individual;” and “processing the personal data of an individual that has not been obtained directly from the individual.”  It also includes “sensitive data uses,” which are defined to include “the processing of data in a manner that reveals” personal data such as an individual’s race, religion, sexuality, or familial status, as well as uses of biometric or genetic data of an individual.  The definition of “personal data” is very similar to the definition of “personal information” under the California Consumer Privacy Act (“CCPA”), with a few key divergences (for example, Senator Gillibrand’s definition applies to particular individuals or devices, but not to households).

As part of its responsibilities with regards to these high-risk data practices, the new agency would:  (1) require and oversee ex-ante impact assessments and ex-post outcomes audits of high-risk data practices by covered entities “to advance fair and just data practices;” (2) examine “the social, ethical, economic, and civil rights impacts of high-risk data practices and propose remedies;” (3) initiate a formal public rulemaking prior to the implementation of “any new high-risk data practice or other related profiling technique;” and (4) review and approve new high-risk techniques or applications, giving special considerations to minors and sensitive data uses.

Among other things, the agency also would be tasked with:

  • Leadership, coordination, and efficiency: providing “leadership and coordination to the efforts of all federal departments and agencies to enforce all Federal statutes, Executive orders, regulations and policies which involve privacy or data protection,” including by eliminating conflicts and duplications of efforts among agencies tasked with privacy or data protection;
  • Fair privacy contract terms: ensuring privacy-related contract terms are fair, including by prohibiting “‘pay-for-privacy provisions’ and ‘take-it-or-leave-it’ terms of service”;
  • Consumer scoring: regulating “consumer scoring” and other practices that determine consumer eligibility for rights, benefits or privileges in certain contexts (e.g., employment, credit, housing);
  • Examination of privacy practices: ensuring that privacy practices are “fair, just, and comply with fair information practices,” and developing model privacy and data protection standards and guidelines;
  • Supervision of “very large” covered entities: supervising “very large” covered entities, including by requiring periodic reports and conducting examinations to assess compliance with federal privacy law; and
  • “Unfair or deceptive acts or practices”: prohibiting “unfair or deceptive acts or practices” for all covered entities.  The bill grants the agency rulemaking authority for identifying practices which would be deemed “unfair” or “deceptive.”

The agency also would have authority to coordinate with appropriate federal regulatory agencies to establish procedures for providing timely responses to consumer complaints concerning covered entities.  Relatedly, the agency would have significant enforcement authorities, including the ability to conduct joint investigations with subpoena authority, seek equitable and legal remedies, rescind or reform contracts, and pursue civil penalties.

Finally, the bill only would preempt state privacy laws to the extent that they are inconsistent with federal laws.  In addition, the bill provides that state attorneys general also may bring a civil suit in their state to enforce provisions of this bill or regulations issued by the agency.

The full text of the Data Protection Act of 2020 is available here.