• by Wendy Davis , Staff Writer @wendyndavis, February 13, 2020

A Democratic lawmaker on Thursday unveiled a proposed bill that would create a federal privacy agency to police companies' use of online data.

The bill, proposed by Sen. Kirsten Gillibrand (D-NY), would create the new "Data Protection Agency," would would enforce a host of existing privacy laws -- including Can-Spam and the Children's Online Privacy Protection Act. The new agency would also advise Congress on encryption, deepfakes and other new tech developments that spur controversy.

“Your data is extremely valuable to many companies with unknown motives, who are looking to exploit your data for profit,” Gillibrand says in a Medium post. “As a result, your very existence is being parsed, split, and sold to the highest bidder, and there is very little you -- or anyone, including the federal government -- can do about it.”

Unlike some of the other privacy proposals floated in recent months, this bill is relatively light on specific prohibitions. Instead, it tasks the new agency with developing privacy regulations.

By contrast, a measure introduced in the Senate last November appears to create an opt-in system for online behavioral targeting; a separate Senate proposal unveiled in October would create a national “do not track” regime that gives consumers the right to prevent information about them from being shared or sold by ad-tech companies.

But Gillibrand's proposal does seems to contemplate at least two new restrictions -- a prohibition on so-called “pay-for-privacy” billing, and on privacy policies that don't give consumers any options.

“The agency would ensure equal access to privacy protection and protect against 'pay-for-privacy' or 'take-it-or-leave-it' provisions in service contracts -- because privacy, including online privacy, is a right that should be enforced,” she writes.

In the past, internet service providers have championed pay-for-privacy pricing.

For instance, in 2013, when AT&T launched a high-speed network in Austin, Texas, the company said it would offer a cheaper plan to people who were willing to receive ads targeted based on their Web activity. Three years later, AT&T changed course and said it would charge all subscribers the lowest rates offered for their speed tiers.

Comcast also once urged the Federal Communications Commission to reject broadband privacy regulations that would have prevented providers from charging higher fees to subscribers who decline behaviorally targeted ads.

"A bargained-for exchange of information for service is a perfectly acceptable and widely used model throughout the U.S. economy, including the Internet ecosystem,” the company wrote in a 2016 FCC filing. Comcast never began using a pay-for-privacy model.

Currently, the Federal Trade Commission polices privacy and data security lapses by tech companies. The agency has drawn criticism from privacy advocates, who say it has been slow to respond to alleged privacy lapses.

For instance, the watchdog Electronic Privacy Information Center -- which filed five separate FTC privacy complaints against Facebook since 2012 -- has criticized the agency for waiting until last summer to officially unveil charges. (The FTC disclosed a complaint against Facebook last July, on the same day the agency announced the company had agreed to pay $5 billion to settle privacy allegations.)

For his part, Chairman Joe Simons told Congress last year the agency needs more personnel to investigate and prosecute privacy cases.

Simons said in April that the agency only employees 40 full-time staff devoted to privacy and data security -- compared to around 500 employees in the U.K. Information Commissioners' office and 110 at the Irish Data Protection Commissioner.

He said at the time that additional funding would enable the agency to create new units, including one that would focus on policy issues comparable to those flagged by Gillibrand.

“This unit would also include technologists to prepare original research on issues of interest, review referrals from privacy and security researchers, develop ideas for enforcement, and serve as a hub for technical expertise as needed on individual cases,” Simons told lawmakers.