U.S. Congresswomen Anna Eshoo (D-California) and Zoe Lofgren (D-California) have reintroduced House Resolution 6027 for the Online Privacy Act of 2021.

Some of the bill’s key differentiators from CCPA, CDPA and CPA:

  • limitations on the disclosure of personal information to third parties that are not subject to the Act/jurisdiction of the US (Counter-Schrems II) (Section 204)
  • disclosure in privacy notice needs to name parties with whom information was shared (not just categories)
  • GDPR-style human intervention for automated processing
  • detailed right of data portability, including requirements for programming and providing access to relevant APIs
  • affirmative consent required for processing that links an individual with an algorithm, model or other means designed for behavioral personalization
  • obligation to provide the core service without targeted advertising where feasible
  • GDPR-style Art 14 privacy notice requirement for data collection by data brokers
  • exceptions for “Privacy preserving computing”
  • consent required for disclosure to third parties (by category) and for sale (by party)
  • specific limitations on disclosure for marketing/advertising purposes
  • prohibition on re-identification of information
  • specific prohibition on processing content of communications
  • GDPR style requirement for easy mechanism to revoke consent
  • specific prohibition on dark patterns in notice and consent and privacy policies
  • detailed requirements re: information security policies
  • initiative to provide templates and assistance on this to SMEs
  • GDPR-style 72 hour data breach notification requirements
  • establishment of a Digital Privacy Agency to enforce the act that would have an annual budget of $550 million