Grading on a Curve: Privacy Legislation in the 116th Congress


Summary (Updated - April 2020)

The United States is now considering several bills to protect privacy. These bills are intended to address growing public concern about the absence of adequate legal protection in the United States for personal data. EPIC’s report Grading on a Curve reviews recent developments, identifies key characteristics of privacy laws, and assesses pending legislative proposals. The EPIC Report finds that several of the bills lack the basic elements of a comprehensive privacy law, such as a federal baseline for privacy protection, an opportunity for individuals to enforce their rights, and an independent data protection agency. However, Representatives Anna Eshoo and Zoe Lofgren’s Online Privacy Act, H.R. 4978, is comprehensive, creates strong user rights, and establishes a U.S. Data Protection Agency. EPIC ranks the Online Privacy Act as the #1 bill in Congress.

The Data Protection Act, S. 3300, filed by Senator Kirsten Gillibrand, solves one critical privacy problem very well by creating an independent Data Protection Agency in the United States to safeguard the personal data of Americans.

EPIC's report reveals that the Senate Commerce and House Energy & Commerce Committees have yet to schedule public hearings on many privacy bills referred to their committees. Congress will need to hold hearings, invite experts, and seek comments from the public before acting on these proposals.

Elements of a Privacy Law

The key elements for privacy legislation identified in EPIC's Report Grading on a Curve follow from commonly recognized national and international standards for data protection. For example, the OECD Privacy Guidelines of 1980 are widely viewed as a baseline standards for privacy rights and responsibilities and have been adopted in U.S. law and international agreements. More recently, the General Data Protection Regulation of the European Union has emerged as the most comprehensive approach to privacy protection in the modern age. The modernized Council of Europe Privacy Convention has also shaped the modern day understanding of the right to privacy.

  • Strong definition of personal data
  • Establishes an Independent Data Protection Agency
  • Individual Rights (right to access, control, delete)
  • Strong data controller obligations
  • Algorithmic transparency requirements
  • Data Minimization and Privacy Innovation Requirements
  • Prohibits take-it-or-leave-it or pay-for-privacy terms
  • Private right of action
  • Limits Government Access to Personal Data
  • Does Not Preempt Stronger State Laws

Download PDF summary

EPIC Report Card