[co-author: Alicia Nakhjavan, Law Clerk]
A cynical online commenter once wrote this about the data collection practices of the online news site Digg: “If you are not paying for it, you’re not the customer; you’re the product being sold.”
This is true of almost all of the websites and social media platforms people use daily. We are eager to accept websites’ “cookies" to track our contact information, credit card information, browsing history, and other data, providing big tech companies with all kinds of valuable and actionable personal information. Yet we may not know how our personal information is used or where it is shared. For big tech companies, our information is their product. This is why they make their platforms free and so attractive and enticing for us to use.
Many governments believe that data subjects are giving away too much information or may regret what information they have already shared. Many believes the potential exists for a data subject’s personal information to be misused to discriminate against individuals through automated processing, or by allowing, for example, a potential employer to know something that they would not otherwise be able to access through the traditional employment process.
The best-known regulation addressing this is Europe’s General Data Protection Regulation, or GDPR. Similar measures are also being instituted in other nations and states, such as California’s Consumer Privacy Act (CCPA).
In the United States, there are very few regulations at the federal level, with most protections coming from the Federal Trade Commission. The FTC’s actions focus less on how organizations use the information they collect or purchase, and more on circumstances where data protections were less than what was represented – usually following a data breach.
To address this concern about how data subjects’ information is used, U.S. Sen. Kirsten Gillibrand of New York recently introduced the Data Protection Act of 2021. If passed, this proposed bill would create the Data Protection Agency. The purpose of the Agency is to protect individuals’ privacy, limit the collecting, processing, and sharing of personal data, and reduce discrimination and differential treatment on the basis of “protected class.” As proposed, the Data Protection Agency will be responsible for regulating high-risk data practices and the collection, processing, and sharing of personal data. The Agency will also be responsible for promoting equal opportunity and non-discriminatory processing of personal information.
Who Does the Data Protection Act Apply to?
The entities most restricted by this agency are data aggregators. The aggregators collect, use, or share large amounts of personal data. Under this bill, aggregators must have an annual gross revenue in excess of $25 million or annually collect, use, or share the personal data of 50,000 or more individuals, households, or devices. If one of these criteria are met, the Agency may periodically examine the aggregator or require the aggregator to submit reports so that the Agency can effectively supervise the aggregator and ensure its compliance with federal privacy laws.
The Data Protection Act of 2021 would also apply to entities other than aggregators, but more by providing leadership, guidance, and education on privacy rights and data protection standards.
What Does the Data Protection Act Prohibit?
The bill seeks to reduce discrimination in data processing on the basis of “protected class.” A protected class refers to the race, ethnicity, religion, sex, sexual orientation, familial status, biometric and genetic information, or disability of an individual or group. The Agency aims to do this by enacting legislation that identifies discriminatory acts and practices in connection with the collection, processing, and sharing of personal data and restricting aggregators from engaging in those practices.
To enforce this, data aggregators are prohibited from refusing to comply with the rules or orders established by the Agency. They are also prohibited from trying to identify an individual from anonymized data. Anonymized data is information that does not identify a particular individual. If an individual substantially assists an aggregator in violating federal privacy laws, that individual will also be found to have violated the law.
The Agency has investigatory powers and may pursue individuals or data aggregators who they believe violated the law. The investigation will be performed by an attorney or investigator employed by the Agency. The investigator will determine whether the aggregator or individual engaged in conduct that violated the law and may levy fines if any violations are found. The fines will either fund a Victim’s Relief Fund or, if individual victims can be identified, they can be compensated directly.
If an individual believes there has been a violation of the federal privacy law, they can file a complaint with a unit established by the Agency. The unit will be responsible for establishing a toll-free phone line, website, and publicly available database where people can report potential violations. The unit will also be responsible for tracking and responding to any complaints.
How Does the Data Protection Act Relate to Federal and State Law?
The Data Protection Act of 2021 makes it clear that this bill does not affect or exempt people from complying with state law, unless state law is inconsistent with this Act. The Agency will determine whether a state law is inconsistent with the Data Protection Act. The bill also does not affect the scope of any other federal privacy laws. This is unfortunate because many authors hoped a federal law would preempt state law and provide potential relief from the patchwork of different state laws that are in effect or pending in various state legislatures. If passed, this will be yet another compliance program that will require skillful navigation by compliance professionals.
How Does the Data Protection Act Compare to GDPR?
The General Data Protection Regulation (GDPR) is the EU’s privacy and security law. The GDPR applies to anyone who offers goods or services to, or processes the personal data of, EU residents or citizens. The GDPR does not apply purely to personal or household activity, or to organizations with fewer than 250 employees. In this regard, it is similar to the Data Protection Act of 2021, as both do not apply to non-commercial activities.
The Data Protection Act and GDPR also have similar goals of protecting individuals’ privacy and preventing discrimination. The Data Protection Act directly references the importance of preventing discrimination that occurs as a result of data processing. The GDPR similarly states that individuals should not be subject to discrimination based solely on automated processing, but provides three exceptions to this: (1) if the decision is necessary for entering into or performing a contract, (2) if the decision is authorized by union or member state law, or (3) if the decision is based on the individual’s explicit consent. Unlike the GDPR, the Data Protection Act does not provide for exceptions to the provisions against discrimination.
How Might These Provisions Impact Your Business?
The Data Protection Act of 2021 aims at protecting individuals’ privacy and preventing discrimination. If the bill is passed, this will add another layer on top of the multiple privacy regulations with which businesses already must comply. The introduction of more federal privacy regulations highlights the constant battle between individuals’ desires to use the free services of big businesses without compromising their privacy against big businesses’ inducement to use free services so they can better track, understand, and market to consumers.
Compliance with data protection laws remains a challenging and risky endeavor. State and national governments enact new privacy and security laws routinely, forcing businesses to either implement individual programs for different data subjects or develop one program that satisfies all or many of the laws – at least to the extent that they don’t conflict.