A new bill in the Senate proposes to hold large tech companies, specifically “online service providers”, responsible for the protection of personal information in the same way banks, lawyers and hospitals are held responsible. The Data Care Act of 2018, which was introduced on December 12, 2018, is designed to protect users information online and penalize companies that do not properly safeguard such data.

Personal data under the bill includes:

  • Social Security number,
  • Driver’s license number,
  • Passport or military identification number
  • Financial account number, credit or debit card number with the access code or password necessary to permit access to the financial account
  • Unique biometric data, including a fingerprint, voice print, retina image or other unique physical representation
  • Account information such as user name and password or email address and password
  • First and last name of an individual or first initial and last name, in combination with data of birth.

The bill would also protect personal information from being sold or disclosed unless the end user agrees.

The bill is seen as part of a broader push to enact federal privacy legislation, in part to prevent more states from enacting their own privacy legislation, similar to recent moves in California and Illinois.

The bill was introduced by Senator Brian Schatz (D-HI), the Ranking Member of the Communications, Technology, Innovation, and the Internet Subcommittee. The bill was co-sponsored by 14 Senate Democrats.

Senator Schatz stated in a press release that people “have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same.”

The bill would be defined and enforced by the Federal Trade Commission. It would establish three basic duties, including the duty of care, the duty of loyalty and the duty of confidentiality. If passed, the FTC would go through the normal notice and comment rulemaking process to further establish how authorities will define, implement and enforce concepts like “reasonable” security measures.

There have been no shortage of federal initiatives seeking heightened protection for consumer personal data in the past couple of years, in particular since enactment of the EU’s GDPR, and it’s only a matter of time before one of them finally sticks. We will continue to report on the Data Care Act of 2018 and other similar initiatives as developments unfold.