Data Protection Act of 2020

Data Protection Act of 2020

This bill establishes in the executive branch an independent Data Protection Agency (DPA) to regulate the processing of personal data.

The DPA shall seek to protect individuals' privacy and limit the collection, disclosure, processing, and misuse of individuals' personal data by a covered entity (i.e., a person that collects, processes, or otherwise obtains personal data other than an individual processing personal data in the course of personal or household activity).

The DPA must examine and oversee high-risk data practices, which include

• a systematic or extensive evaluation of personal data that is based on automated processing;
• any processing of biometric data for the purpose of uniquely identifying an individual;
• processing which involves tracking an individual's geolocation; or
• the use of personal data of children or other vulnerable individuals for marketing purposes, profiling, or automated processing.

The DPA is authorized to (1) enforce federal privacy law, and (2) take specified actions to prevent a covered entity from committing or engaging in an unfair or deceptive act or practice.

The DPA shall establish procedures to provide consumers with a timely response to complaints against, or inquiries concerning, a covered entity.

The DPA may engage in joint investigations and requests for information and may issue subpoenas. The bill provides for civil monetary penalties for violations of privacy law and the use of such penalties, including as monetary relief for individuals affected by violations.