Online Privacy Act (OPA)

Creates user data rights and strengthens enforcement with a Digital Privacy Agency and state level attorneys
Introduced on November 5, 2019

If this bill passed, what is one way a social media interface could look?

Mockup of a hypothetical screenshot where a social media feed is annotated with popups informing users what is tracked on a social media news feed with buttons to edit how long data can be retained.

What are some things this bill would do?

Create user data rights.
Users would be granted the right to access, correct, port, or delete their data on online platforms. This bill also creates new rights, such as the right to impermanence, which lets users decide how long companies can keep their data.
Place clear obligations on companies for data collection and use.
This bill minimizes the amount of data companies collect, process, disclose, and maintain, and bars companies from using data in discriminatory ways. Companies would be required to provide notification of a data breach or data sharing abuse to users and to receive consent in plain, simple language. Users would also be given the right to human review of automated decisions.
Establish a Digital Privacy Agency (DPA).
This agency would enforce privacy protections and investigate abuses. The DPA would be led by a Director that’s appointed by the President and confirmed by the Senate for a five-year term.
Strengthen enforcement of privacy violations.
State attorney generals would be empowered to enforce violations of the bill and allow individuals to appoint nonprofits to represent them in private class action lawsuits.

We compiled these highlights from: Full text of the bill, Official Online Privacy Act Press Release, Official section-by-section summary of H.R. 4978

If this bill passed, what is one way a social media interface could look?

Mockup of a hypothetical screenshot where a social media feed is annotated with popups informing users what is tracked on a social media news feed with buttons to edit how long data can be retained.

How people responded to the Online Privacy Act

We interviewed 41 people, from privacy experts to everyday people, to get feedback on the bill and prototype.
Read more about our interviews

Thoughts from a biomedical researcher

“I've heard that for some of these bills the enforcement side is hard, or they're not getting the funding to do the enforcement side. So actually having a separate office that we do some of this is interesting to have in building our security.”

- Vanessa Barone, Senior Governance Analyst, SageBionetworks

Insights from our interviews

New user rights, such as data impermanence, could be challenging to enforce.
Several interviewees were excited about the creation of these rights but questioned how they could be taken advantage of for negative purposes. How would the bill be positively enforced?
Certain user rights could unintentionally (or intentionally) exclude marginalized populations.
Some of the bills mention they apply only to “Americans.” One interviewee pointed out how this could leave out several vulnerable populations, such as those who don’t hold American citizenship but are active on American online platforms.
People have mixed feedback on whether to support the creation of a Data, or Digital, Privacy Agency.
While some interviewees supported the creation of a new agency, others argued for expanding the powers of existing institutions, like the FTC. Some questioned whether we need a new agency to enforce new user rights.

Thoughts from a biomedical researcher

“I've heard that for some of these bills the enforcement side is hard, or they're not getting the funding to do the enforcement side. So actually having a separate office that we do some of this is interesting to have in building our security.”

- Vanessa Barone, Senior Governance Analyst, SageBionetworks

Positive responses to the bill

“I like that this bill is trying to provide more measures to contact companies and more control to users. I'm not sure if this is the best way to do it.”

- Design Lead, Nonprofit Organization

“The first bullet point is that Americans have the right to access, correct or delete their data, which makes sense. I like that it doesn't let you edit your data, only correct. So that's good. But you can delete it whenever you want. So, yeah, get clear obligations on companies.”

- Eyassu Shimelis, Technical Staff, MIT Lincoln Laboratory

Concerns over the bill

“I think the ability to delete your data is nice and I just don't think people download their data from Facebook. It feels like they're protecting themselves, being like 'you can access this data at any time' and I'm like that data doesn't mean anything to people and might not get at the meat of what data they all have or sold that might make you vulnerable. It feels just like a soft attempt to be more transparent.”

- Maggie Hughes, Graduate Student, MIT Media Lab

“So when you say that under this administration, when we talk about the right to access, the right to correct or delete data.” The bill grants every American the right to access, correct or delete their data, I'm wondering about people who are not considered American. We need to think about immigration and some of the things that are happening, horrible things that are happening on that front.”

- Najarian Peters, Faculty Fellow and Assistant Professor in the Institute for Privacy Protection at Seton Hall Law School and Faculty Associate at the Berkman Klein Center for Internet & Society