News Releases

The Data Care Act will stop websites and apps from using personal data against users, protect user information from hacks, and hold companies accountable for misuse

Senator Murray: New bill “makes clear that the companies we entrust with our personal information will not only be held to a higher standard, they will face penalties if they breach our trust”

(Washington, D.C.)  – Today, U.S. Senator Patty Murray (D-WA), joined a group of 15 senators in introducing new legislation to protect people’s personal data online. The Data Care Act would require websites, apps, and other online providers to take responsible steps to safeguard personal information and stop the misuse of users’ data.

“As we see more and more often, consumer data is being used and abused in ways few people had imagined before. Now, it’s on Congress to ensure consumer protections keep pace with this changing reality,” said Senator Murray. “This legislation being introduced today makes clear that the companies we entrust with our personal information will not only be held to a higher standard, they will face penalties if they breach our trust.”

Doctors, lawyers, and bankers are legally required to exercise special care to protect their clients and not misuse their information. While online companies also hold personal and sensitive information about the people they serve, they are not required to protect consumers’ data. This leaves users in a vulnerable position; they are expected to understand the information they give to providers and how it is being used—an unreasonable expectation for even the most tech-savvy consumer. By establishing a fiduciary duty for online providers, Americans can trust that their online data is protected and used in a responsible way. To that end, the Data Care Act establishes reasonable duties that will require providers to protect user data and will prohibit providers from using user data to their detriment:

  • Duty of Care – Must reasonably secure individual identifying data and promptly inform users of data breaches that involve sensitive information;
  • Duty of Loyalty – May not use individual identifying data in ways that harm users;
  • Duty of Confidentiality – Must ensure that the duties of care and loyalty extend to third parties when disclosing, selling, or sharing individual identifying data;
  • Federal and State Enforcement – A violation of the duties will be treated as a violation of an FTC rule with first fine authority. States may also bring civil enforcement actions, but the FTC can intervene.
  • Rulemaking Authority – FTC is granted rulemaking authority to implement the Act.

Read the full text of the bill HERE.