In a push to enact a federal privacy law, a group of 17 senators has reintroduced the Data Care Act (DCA). First introduced in 2018, the DCA would establish explicit duties requiring websites, apps, and other online service providers and applicable third parties to take proper steps to protect user personal information they collect and use.
To whom would it apply?
The DCA would apply to online service providers defined as entities that:
- Engage in interstate commerce over the internet or any other digital network; and
- Collect individual identifying data about end users, including in a manner that is incidental to the business conducted.
The DCA would also apply to third parties that an online service provider transfers or otherwise provides access to individual identifying data.
What types of information would it cover?
The DCA would cover individual identifying data and sensitive data.
Individual identifying data is defined as data that is linked, or reasonably linkable, to a specific user or computing device that is associated with, or routinely used by, an end user.
According to the DCA, sensitive data includes:
- Personal information as defined in Section 1302 of the Children's Online Privacy Protection Act of 1998;
- A social security number, driver's license number, passport number, military identification number, or any other similar number issued on a government document used to verify identity;
- A financial account number, credit, or debit card number, or any required security code, access code, or password that is necessary to permit access to a financial account of any individual;
- Biometric information;
- Any information sufficient to access an account of an individual, such as user name and password or email address and password;
- Identifiers of a consumer or household (e.g., name, alias, email address, date of birth);
- Geolocation data;
- All information that relates to past, present, or future physical or mental health or condition of an individual, or the provision of health care to an individual; and
- The nonpublic communications or other nonpublic user-created content of any individual.
What rights would it create?
The DCA would not create any specific consumer rights.
What obligations would it impose?
The DCA would require online service providers and applicable third parties to fulfill duties of care, loyalty, and confidentiality in connection with user data they collect and use, as follows:
- A Duty of Care to reasonably secure individual identifying data and promptly inform users of data breaches involving sensitive information.
- A Duty of Loyalty prohibiting the use of individual identifying data in ways that harm users.
- A Duty of Confidentiality to ensure that the duties of care and loyalty extend to third parties to whom online service providers disclose, sell, or share individual identifying data.
How would it be enforced?
The DCA would be defined and enforced by the Federal Trade Commission (FTC). Any violation of the duties established by the DCA would be treated as violations of an FTC rule defining unfair or deceptive acts or practices. State Attorneys General may also commence civil actions for violations of the DCA, in which cases the FTC may intervene.
In addition to other applicable penalties, online service providers and applicable third parties found to have knowingly or repeatedly violated the DCA would be liable for a civil penalty equal to the amount calculated by multiplying the greater of:
- The number of days during which the online service provider was not in compliance with this bill; or
- The number of end users who were harmed as a result of the violation by an amount not to exceed the maximum civil penalty as defined under the Federal Tort Claims Act (FTCA).
When would it go into effect?
The DCA would go into effect on the date of enactment and apply to online service providers and end users 180 days after that.
Where does it stand?
The DCA was introduced on March 23, 2021. As more information becomes available, we will report on its progress.
