Bennet, Schatz, Colleagues Reintroduce Legislation To Protect People’s Personal Data Online

Data Care Act Will Stop Websites and Apps from Using Personal Data to Harm Users, Protect User Information from Hacks, and Hold Companies Accountable for Misuse

Washington, D.C. – Today, Colorado U.S. Senator Michael Bennet joined a group of 16 senators, led by Senator Brian Schatz (D-Hawai’i), in reintroducing legislation to protect people’s personal data online. The Data Care Act would require websites, apps, and other online providers to take responsible steps to safeguard personal information and stop the misuse of users’ data.

“Americans deserve confidence that the websites and apps we use every day are responsibly storing and using our personal data,” said Bennet. “Online companies should have a duty to protect and use our data with the highest level of care, and the Data Care Act will hold them accountable while ensuring they handle our data with our best interest in mind.”

Doctors, lawyers, and bankers are legally required to exercise special care to protect their clients and not misuse their information. By contrast, online companies that also hold personal and sensitive consumer data do not face similar requirements to protect it. Consumers are left in a vulnerable position, where they are expected to understand what information they give to providers and how it is being used – an unreasonable expectation for even the most tech-savvy individuals. By establishing an explicit duty for online providers, Americans can have greater confidence that their online data is being protected and used responsibly.

In addition to Bennet and Schatz, The Data Care Act is cosponsored by U.S. Senators Catherine Cortez Masto (D-Nev.), Ed Markey (D-Mass.), Tammy Duckworth (D-Ill.), Tammy Baldwin (D-Wis.), Joe Manchin (D-W.Va.), Dick Durbin (D-Ill.), Sherrod Brown (D-Ohio), Cory Booker (D-N.J.), Amy Klobuchar (D-Minn.), Maggie Hassan (D-N.H.), Martin Heinrich (D-N.M.), Patty Murray (D-Wash.), Bernie Sanders (I-Vt.), and Chris Murphy (D-Conn.).

The Data Care Act establishes reasonable duties that will require providers to protect user data and will prohibit providers from using user data to their detriment:

  • Duty of Care – Must reasonably secure individual identifying data and promptly inform users of data breaches that involve sensitive information;
  • Duty of Loyalty – May not use individual identifying data in ways that harm users;
  • Duty of Confidentiality – Must ensure that the duties of care and loyalty extend to third parties when disclosing, selling, or sharing individual identifying data;
  • Federal and State Enforcement – A violation of the duties will be treated as a violation of an FTC rule with fine authority. States may also bring civil enforcement actions, but the FTC can intervene. States and the FTC may go after both first- and third-party data collectors.
  • Rulemaking Authority – FTC is granted rulemaking authority to implement the Act.

The bill text is available HERE