Privacy Bill Essentials: Data Care Act

April 1, 2021
Hinshaw Privacy & Cyber Bytes

In a push to enact a federal privacy law, a group of 17 senators has reintroduced the Data Care Act (DCA). First introduced in 2018, the DCA would establish explicit duties requiring websites, apps, and other online service providers and applicable third parties to take proper steps to protect user personal information they collect and use.

To whom would it apply?

The DCA would apply to online service providers defined as entities that:

The DCA would also apply to third parties that an online service provider transfers or otherwise provides access to individual identifying data.

What types of information would it cover?

The DCA would cover individual identifying data and sensitive data.

Individual identifying data is defined as data that is linked, or reasonably linkable, to a specific user or computing device that is associated with, or routinely used by, an end user.

According to the DCA, sensitive data includes:

What rights would it create?

The DCA would not create any specific consumer rights.

What obligations would it impose?

The DCA would require online service providers and applicable third parties to fulfill duties of care, loyalty, and confidentiality in connection with user data they collect and use, as follows:

How would it be enforced?

The DCA would be defined and enforced by the Federal Trade Commission (FTC). Any violation of the duties established by the DCA would be treated as violations of an FTC rule defining unfair or deceptive acts or practices. State Attorneys General may also commence civil actions for violations of the DCA, in which cases the FTC may intervene.

In addition to other applicable penalties, online service providers and applicable third parties found to have knowingly or repeatedly violated the DCA would be liable for a civil penalty equal to the amount calculated by multiplying the greater of:

When would it go into effect?

The DCA would go into effect on the date of enactment and apply to online service providers and end users 180 days after that.

Where does it stand? 

The DCA was introduced on March 23, 2021. As more information becomes available, we will report on its progress.