What is the Data Protection Act?
Recently, Senator Kirsten Gillibrand of New York introduced data privacy legislation known as the Data Protection Act. The act creates new standards for consumer data privacy, giving consumers greater control over their personal data. The Data Protection Act also calls for the creation of a new agency – the Data Protection Agency – to enforce its provisions.
How Does the Data Protection Act Ensure Consumer Data Privacy?
The Data Protection Act ensures consumer data privacy by requiring establishment of an independent federal agency, the Data Protection Agency. The Data Protection Agency (DPA) would be responsible for protection of consumer data, safeguarding of consumer privacy, and ensuring that data collection practices are fair and transparent.
The purpose and function of the Data Protection Agency is to protect individuals’ privacy and limit the collection, disclosure, processing, and misuse of individuals’ personal data by entities covered under the Data Protection Act.
Similarly to the California Consumer Privacy Act (CCPA), the Data Protection Act applies to entities that meet a certain threshold. If an entity meets one or more of the following three thresholds, it is covered under the Data Protection Act:
- The entity has annual gross revenues that exceed $25,000,000.
- The entity annually buys, receives for its commercial purposes, sells or discloses for commercial purposes, alone or in combination, the personal information of 50,000 or more individuals, households, or devices.
- The entity derives 50% or more of its annual revenues from the sale of personal data.
What is “Personal Data” Under the Data Protection Act?
Under the Data Protection Act, the term ‘‘personal data’’ means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or device, including:
- An identifier such as a real name, alias, signature, date of birth, gender identity, sexual orientation, marital status, physical characteristic or description, postal address, telephone number, unique personal identifier, military identification number, online identifier, Internet Protocol (IP) address, email address, account name, mother’s maiden name, Social Security number, driver’s license number, or passport number;
- Employment status or employment history;
- Financial information;
- Medical information, mental health information, or health insurance information;
- Commercial information, including records of personal property, products or services purchased, obtained, or considered;
- Characteristics of protected classes under federal law, including race, color, national origin, religion, sex, age, or disability;
- Biometric information;
- Internet or other electronic network activity information, including browsing history, search history, content, and information regarding an individual’s interaction with an internet website, mobile application, or advertisement;
- Historical or real-time geolocation data;
- Audio, electronic, visual, thermal, olfactory (relating to the sense of smell), or similar information;
- Education records;
- Political information; and
- Information on criminal convictions or arrests.
What Federal Privacy Laws will the Data Protection Agency Enforce?
The Data Protection Act gives the Data Protection Agency the authority to enforce federal privacy laws. Under the Data Protection Act, these laws include:
- The Children’s Online Privacy Protection Act;
- The CAN-SPAM Act of 2003;
- The Do-Not-Call Implementation Act;
- The Fair Credit Reporting Act;
- Title V of the Gramm-Leach-Bliley Act;
- The Identity Theft Assumption and Deterrence Act of 1998;
- The Telephone Consumer Protection Act of 1991; and
- The Telemarketing and Consumer Fraud and Abuse Prevention Act.
Under the Data Protection Act, the Data Protection Agency will also enforce Subtitle D of the HITECH Act. Subtitle D of the HITECH Act regulates the privacy and security of electronic protected health information. It does so by providing for the improvement of privacy and security of health IT, and by providing for fines for violation of HIPAA. Fines for HIPAA noncompliance are currently based on the level of perceived negligence found within an organization at the time of the HIPAA violation. Fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.
How Will the Data Protection Act be Enforced?
Under the Data Protection Act, the DPA will be given the authority and resources to enforce data protection laws and rules. The DPA will be given a variety of enforcement tools, including the authority to take complaints, conduct investigations, and inform the public on data protection matters. Under the Data Protection Act, the DPA is given the right to impose civil monetary penalties against entities that violate the law.
What Other Powers Would the Data Protection Agency Have?
Under the Data Protection Act, the Data Protection Agency would also promote data protection and privacy innovation across public and private sectors. In addition, the agency would develop and provide resources such as Privacy Enhancing Technologies (PETs) that minimize or even eliminate the collection of personal data. The agency would also take complaints, conduct investigations, and inform the public on data protection matters.
