Online Privacy Act of 2023

Online Privacy Act of 2023

This bill establishes online privacy rights for personal information, including the contents of personal communications. It also applies requirements for protecting those rights to certain data processors, service providers, and other entities that collect, process, or maintain personal information and transmit it online.

The entities covered by the bill must generally permit individuals to oversee and control their personal information, including by allowing them to

• access, download, and transmit their information;
• correct inaccurate or incomplete information;
• request the deletion of their information; and
• request human reviews of certain automated processes.

Further, the bill limits how covered entities may use, retain, and disclose personal information and otherwise requires actions to preserve information privacy. For example, covered entities must (1) notify and obtain consent from individuals before using, retaining, or disclosing their information in most instances; and (2) maintain privacy and information security policies. Additionally, covered entities may not process information for purposes related to employment, housing, and other opportunities in a discriminatory manner.

The bill establishes the Digital Privacy Agency to administer the provisions of the bill and transfers certain authorities, employees, and responsibilities related to information privacy from the Federal Communications Commission to the agency.

Violations of the bill's requirements may be enforced by the Digital Privacy Agency, states, and individuals. The bill sets out specific guidelines for investigating and adjudicating violations, with violations subject to civil penalties.

The bill also requires research and public education on information privacy.