Skip to main content
Top Button
Is a Data Protection Agency Coming to the United States? Is a Data Protection Agency Coming to the United States?

Is a Data Protection Agency Coming to the United States?

Senator Kirsten Gillibrand recently introduced legislation, the Data Protection Act of 2020 (the “Proposed Act”), calling for the creation of a Data Protection Agency (“DPA”) in the United States.[i] There has been hot debate in the United States over the approach to privacy, at both the state and federal level. Notably, Gillibrand’s bill does not propose specific privacy rights and obligations at the federal level; rather it focuses on the creation of the new DPA and corresponding responsibilities. The proposed federal DPA would “serve as a ‘referee’ to define arbitrate, and enforce rules to defend the protection of our personal data” according to Gillibrand’s statement on the legislation.[ii] Gillibrand’s statement goes on to outline the three core missions of the DPA:
  1. Give Americans control and protection over their own data by creating and enforcing data protection rules.
  2. Maintain the most innovative, successful tech sector in the world by ensuring fair competition within the digital marketplace.
  3. Prepare the American government for the digital age.[iii]
The Proposed Act states that the DPA would provide active leadership, guidance, and education to the private sector, as well as develop model standards and guidelines regarding privacy, data protection rights and standards, and fair information practices and principles. The DPA would be granted rulemaking authority and have the ability to administer and enforce both the Proposed Act and federal privacy laws.

Enforcement and Penalties

A component of the Proposed Act would allow individuals to file complaints with the DPA if they believe a company has violated data privacy laws. These complaints may trigger an investigation by the DPA, which could result in civil penalties, fines, or injunctive relief. Currently, similar complaints are filed with the Federal Trade Commission (“FTC”). The Proposed Act would transfer authority to prescribe rules, issue guidelines, conduct studies, or issue a report under existing federal privacy laws from the FTC to the DPA.
The civil penalty amounts for a violation would be tiered based on the nature and severity of the violation. The current Proposed Act sets the penalties for violations as the following:
  • First Tier Penalties for a general violation not to exceed $5,000 per day
  • Second Tier Penalties for a “reckless” violation not to exceed $25,000 per day
  • Third Tier Penalties for a “knowing” violation not to exceed $1,000,000 per day
Any civil penalties collected related to the Proposed Act enforcement would then be deposited into a “Data Protection Relief Fund” and used to compensate any affected individuals or for educational purposes.
A significant number of countries throughout the world have general data protection legislation, but the United States is not one of them. The General Data Protection Regulation (“GDPR”) out of the European Union has quickly become a standard privacy framework replicated by other countries across the globe. On January 1, 2020, the California Consumer Privacy Act (“CCPA”) went into effect. The CCPA is similar to the GDPR, with broad definitions of personal information and application across various industries. The CCPA has prompted a number of other states in the United States to propose similar legislation. Without federal privacy legislation, the patchwork approach to privacy in the United States will continue to become more complex. 

If you have questions about privacy laws, contact Nick Merker, Rachel Spiker, Mason Clark or another member of our Data Security and Privacy Team.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
[i] Text of the Data Protection Act of 2020 is available at the following
[ii] Senator Gillibrand’s published blog post and statement about the Data Protection Act of 2020 is available at the following
[iii] Confronting A Data Privacy Crisis, Gillibrand Announces Landmark Legislation To Create A Data Protection Agency, Press Release,
View Full Site View Mobile Optimized