U.S. Congresswomen Anna Eshoo (D-California) and Zoe Lofgren (D-California) have reintroduced House Resolution 6027 for the Online Privacy Act of 2021.
Some of the bill’s key differentiators from CCPA, CDPA and CPA:
- limitations on the disclosure of personal information to third parties that are not subject to the Act/jurisdiction of the US (Counter-Schrems II) (Section 204)
- disclosure in privacy notice needs to name parties with whom information was shared (not just categories)
- GDPR-style human intervention for automated processing
- detailed right of data portability, including requirements for programming and providing access to relevant APIs
- affirmative consent required for processing that links an individual with an algorithm, model or other means designed for behavioral personalization
- obligation to provide the core service without targeted advertising where feasible
- GDPR-style Art 14 privacy notice requirement for data collection by data brokers
- exceptions for “Privacy preserving computing”
- consent required for disclosure to third parties (by category) and for sale (by party)
- specific limitations on disclosure for marketing/advertising purposes
- prohibition on re-identification of information
- specific prohibition on processing content of communications
- GDPR style requirement for easy mechanism to revoke consent
- specific prohibition on dark patterns in notice and consent and privacy policies
- detailed requirements re: information security policies
- initiative to provide templates and assistance on this to SMEs
- GDPR-style 72 hour data breach notification requirements
- establishment of a Digital Privacy Agency to enforce the act that would have an annual budget of $550 million
[View source.]