Proposed Federal Online Privacy Act Goes After Big Tech and puts Consumers in the Driver’s Seat

Regulation ¦ November 24th, 2019, 11:00 pm

The emanating patchwork of differentiating state-wide privacy regulations, such as the CCPA, Nevada SB 220, Maine LD 946 and coming soon, Illinois HB 3358 and Washington SB 5376, is a thorn in the eye of many American businesses. Keeping up with so many differentiating laws comes at a great continuous cost. The fear of a future of fragmented privacy laws has even managed to garner the interest of Big Tech in a Federal Privacy Regulation, in an effort to stomp out these threatening state-wide regulations that are growing like weeds.

Silicon Valley congresswomen Eshoo and Lofgren have answered the call earlier this month, but not in the way that Big Tech was hoping for.

Their proposal for the federal Online Privacy Act (H.R. 4978) (OPA) gives extensive powers to consumers and is poised to kill many common business practices, such as serving personalized content or using messaging-content to tailor advertising. The congresswomen have clearly taken a good hard look at the common strategies employed and mistakes made by tech giants like Facebook, Google, Amazon and meticulously set about banning each and every one of them.

The OPA gives us a lot to unpack. It is by far the strongest data privacy proposal to date and has been received with open arms by public interest organizations and privacy experts, referring to it as the #1 privacy regulation. Although the proposal in its current form is unlikely to pass, it certainly sets a high bar for the ongoing discussions in Congress and clearly signals the strong stance taken by Silicon Valley representatives on privacy rights.

Below we have put together a quick overview covering the most important aspects of the proposed regulation:


  • Scope 

    The OPA has a wide scope, covering all businesses without setting any boundaries in annual revenue or amount of users (as the CCPA does). There are some exemptions for small businesses, but they will still need to be compliant with a large chunk of the bill.

  • Consumer rights

    Americans are granted a right to access, correction, deletion, portability and the right to decide how long the data may be stored (impermanence). They can also request a human review of impactful automated decisions.

  • Data breaches

    A data breach under the OPA merely requires unauthorized access or acquisition of PI or contents of communication. An actual exfiltration or theft of data is not required. Businesses have a notification duty to consumers within a 14 day time-frame if the breach causes foreseeable increased privacy harm. OPA 2019 would take precedence over state law where its requirements are stronger, which is certainly the case for the data breach notification clauses.

  • Action and fines

    There is a private right of action for any violation of the act. Whistleblowers may file a civil action (but need to file a written request to the Director to commence the action first). Fines can go up to $42,530 per violation.

  • United States Digital Privacy Agency

    OPA 2019 provides for the creation of a Digital Privacy Agency which would be responsible for its enforcement. This agency would be staffed with 1,600 employees, which makes the FTC’s 40-privacy member headcount pale in comparison.

A Threat to ‘Walled Garden’ Ads and Personalization

Consent to sale, disclosure and personalized content Companies will need to get consent if they plan to sell or disclose personal information, use it for artificial intelligence algorithms or to create and serve personalized content. For many leading tech companies, personalization is at the heart of the product. E-commerce sites like Asos or Amazon and streaming services like Spotify or Netflix would severely struggle to function without displaying personalized content. According to Netflix, 80% of watched content comes from recommendations. A 2018 survey from Salesforce showed that only half of consumers were willing to share personal data in return for recommendations or personalized shopping experiences.

Consent to storage When consumers are asked to consent to the storing of data, they will need to be asked how long the data may be stored. Two of the given options must be “No longer than needed to complete the transaction” or “Until consent revoked”. Chances are that most consumers will select the first option. Business practices such as fraud detection are exempt, but maintaining data points that aren’t necessary for the core-product, but are for instance used for internal advertising purposes, would be strictly forbidden.

Using messaging-content for ad-creation Businesses with walled gardens like Facebook and Google are targeted specifically with the prohibition of using private communications (like emails or Facebook messages) for use-cases that go beyond sending, displaying or helping to draft the message, such as ads.No privacy regulation has ever given attention to this before, meaning that OPA ’19 would finally put an end to the ‘carte blanche’ these players have had up till now, using their massive amounts of data to serve internal ads.

Understanding One of the largest issues that no privacy law (including GDPR) has tackled yet is the fact that users will tick whichever opt-in boxes they need to in order to proceed to the service, without actually understanding what they are consenting to. The Director of the Agency will define a minimum percentage of individuals who read and understand a notice, consent process or privacy policy. What the cut-off points will be or how this will be measured is unclear. Businesses will have to submit data to the Director to prove that their processes and privacy policy meet the threshold. It is unclear what would happen in case of a backlog of non-approved processes or policies, and whether this would mean that entities will need to wait to do business until they get approval.

Employee access log Big tech has had to come clean about mishaps with unauthorized employees accessing personal data multiple times in the past. Facebook disclosed in March 2019 that its employees had access to 200–600 million customer passwords, Snapchat had problems early this year with employees spying on customers and Amazon employees are reportedly able to figure out the home addresses of customers by listening to Alexa. OPA 2019 forces companies to keep an access log, tracking which employees access which information at which time, if it is reasonably foreseeable that this access could increase or create privacy harm. This would certainly complicate internal processes, but could prevent the repetition of the mistakes of the past.

The OPA sends a clear signal to Congress: Digital privacy rights must be protected extensively, far-reaching rights should be granted to consumers, no matter how damaging the impact may be on any practices currently employed in the tech industry. There should be a powerful enforcement agency with the authority to impose hefty fines on a per-violation basis.

It will be interesting to see the impact this proposal will have on the further development of a Federal Privacy Law.

Get the Data Digest in your inbox