After months of criticizing regulators for going easy on Big Tech, a pair of Democratic lawmakers announced new legislation that would create an entirely new federal agency with the authority to regulate the industry. 

Among other provisions, the Online Privacy Act, sponsored by Reps. Anna Eshoo (D-CA) and Zoe Lofgren (D-CA), would create the Digital Privacy Agency, or DPA. That agency would be empowered with the ability to issue regulations and enforce the privacy rules imposed by the legislation. The agency would be funded to employ 1,600 officials, making it about the same size as the Federal Communications Commission. Currently, the Federal Trade Commission broadly regulates privacy and employs only a few dozen people dedicated to violations. 

In the aftermath of Facebook’s Cambridge Analytica scandal, lawmakers on both sides of the aisle have taken the opportunity to craft an overarching federal privacy bill. Few such bills have been made into law, except at the state level. The California Consumer Privacy Act (CCPA) has become one of the toughest in the country, and one Democrats see as a minimum standard for future legislation.

“This bill is stronger than the California law,” Eshoo said in a call with reporters, referring to the CCPA. “This would be the standard for the United States and it would provide the kind of uniformity that I think everyone is looking for without preemption because it is the broadest bill.”

Earlier this year, Speaker Nancy Pelosi (D-CA) tasked Rep. Ro Khanna (D-CA) with building out a privacy bill of rights for users. The Online Privacy Act piggybacks off of that effort, codifying certain rights users have over how their data is collected and used by tech companies. It would allow users to access, correct, delete and transfer their data, similar to Europe’s General Data Protection Regulation. Users would also have to opt in for companies to use their data in machine learning or AI algorithms. In a call with reporters, the representatives said that the measure would give users the ability to toggle the use of algorithmic news feeds, an idea that has already been introduced as legislation in the Senate and something many critics have found troubling. 

Companies would be required to be far more transparent about how they handle user data under the Online Privacy Act. Companies could not disclose or sell user data without receiving explicit consent or use third-party data to re-identify users. Dark patterns that sway users into consenting to data collection would also be outlawed, something that other lawmakers like Sens. Mark Warner (D-VA) and Deb Fischer (R-NE) have crafted into legislation before. It would be unlawful to target ads based on private messages if this bill is made into law, too. If any breaches of personal data occur, the affected company would have 72 hours to alert users and the DPA.

If companies violate any of the rules laid out in the bill or regulations created by the DPA, they could be fined $42,530 per incident which is on par with how much the FTC act empowers the agency to seek. State attorneys general could bring civil actions and affected consumers could bring civil suits against platforms as well. 

The Online Privacy Act goes beyond much of the legislation that has been introduced by Congress in the aftermath of Facebook’s Cambridge Analytica scandal, even including some measures to criminalize doxxing or the sharing of personal information without consent.

“Our country urgently needs a legal framework to protect consumers from the ever-growing data-collection and data-sharing industries that make billions annually off Americans’ personal information,” said Rep. Lofgren. “Privacy for online consumers has been nonexistent — and we need to give users control of their personal data by making legitimate changes to business practices.”