On February 12, 2020, Senator Kirsten Gillibrand announced a plan to create a Data Protection Agency through her proposed legislation, the Data Protection Act of 2020. According to Senator Gillibrand, the purpose of the law is to create the new agency and bring the protection of privacy and freedom into the digital age.
Notably, the bill does not propose omnibus federal privacy legislation. Instead it focuses on the creation of the new agency and its responsibilities, which would include:
- providing leadership and coordination of all federal departments and agencies in enforcing privacy or data protection laws and regulations;
- ensuring the fairness of consumer-facing contract terms, including the prohibition of “pay-for-privacy provisions” or “take-it-or-leave it” terms of service;
- regulating “consumer scoring” and other practices that determine consumer eligibility for rights, benefits or privileges in certain contexts, like employment and housing;
- ensuring that privacy practices are “fair, just, and comply with fair information practices”; and
- supervising “very large” covered entities, including by requiring periodic reports and conducting examinations to assess compliance with federal privacy law.
The bill also includes certain specific responsibilities with respect to “high-risk data practices.” The bill gives the proposed agency significant enforcement authority, including the ability to conduct joint investigations with subpoena authority, seek equitable and legal remedies, rescind or reform contracts, and pursue civil penalties. In addition, the bill provides that state attorneys general may bring a civil suit in their state to enforce provisions of the bill or regulations issued by the agency. The bill would only preempt state privacy laws to the extent that they are inconsistent with federal law.