On June 18, 2020, Senator Sherrod Brown (OH) released a discussion draft of a privacy bill entitled the Data Accountability and Transparency Act of 2020 (“the Bill”). The Bill would provide individuals with several new rights regarding their personal data; implement rules limiting how personal data is collected, used or shared; and establish a new federal agency called the Data Accountability and Transparency Agency to protect individuals’ privacy and enforce those rules.

In particular, the Bill limits the collection, usage and sharing of personal data by “data aggregators” to when it is strictly necessary to carry out one of twelve “permissible purposes,” and bans practices such as targeted advertising and commingling personal data from multiple applications, services, affiliates or independent business lines. The Bill would also:

• forbid retention of personal data for any time longer than is strictly necessary to carry out a permissible purpose;

• ban the use of facial recognition technology as well as the collection, usage or sharing of any personal data obtained from facial recognition technology;

• prohibit discriminatory uses of personal data;

• require data aggregators using automated decision systems to conduct testing on bias and disparate impact as well as risk assessments;

• provide individuals with the rights of access, portability, transparency, deletion, accuracy and correction, as well as the right to object to a claimed permissible purpose and to human review of automated decisions;

• implement a duty of care requiring that data aggregators implement and maintain reasonable security practices and procedures;

• require data aggregators to establish comprehensive privacy and data security policies, practices and procedures; and

• establish criminal and civil penalties for CEOs and boards of directors for certain violations of the Bill.

The Data Accountability and Transparency Agency would be headed by a Director who would serve a five-year term and would protect individuals from unfair, deceptive, abusive and discriminatory practices. It would be given broad rule-making authority and could identify specific practices that it deems unfair, deceptive, abusive or discriminatory.

The Bill could be enforced by state attorneys general and contains a private right of action for any violation of the act, under which any violation would be presumed to cause privacy harm and constitute a concrete and particularized injury to the individual. It would only preempt laws that directly conflict with its provisions, and it specifically notes that laws offering greater protections than the Bill would not be preempted.