The U.S. Needs a Data Protection Agency

Companies and foreign adversaries want to exploit your data. Someone should be looking out for you.

Sen. Kirsten Gillibrand
6 min readFeb 12, 2020


Right now, a great deal of your personal information — public profiles, health data, photos, past purchases, locations, search histories, and much more — is likely scattered across the internet.

And whether you realize it or not, much of that is information that you did not knowingly opt to give.

Your data is extremely valuable to many companies with unknown motives, who are looking to exploit your data for profit. As a result, your very existence is being parsed, split, and sold to the highest bidder, and there is very little you — or anyone, including the federal government — can do about it.

I believe that this needs to be fixed, and that you deserve to be in control of your own data. You have the right to know if companies are using your information for profit. You need a way to protect yourself, and you deserve a place that will look out for you.

That’s why I’m introducing new legislation to create a Data Protection Agency and bring the protection of your privacy and freedom into the digital age.

There are countless scenarios to illustrate why we need this.

I often think about my two boys who love to watch videos on the internet and share their favorites with friends, like clips from their favorite shows or cute animal videos. Kids across the country commonly use platforms like YouTube, Instagram, and Tik Tok. These companies can monitor their activity, see what types of content they choose to watch and which pages they choose to visit. But we don’t know what these companies are doing with that information. Are they allowed to share my teenage son Theo’s data from his Instagram page with advertisers? What are the limits on how and why they collect his information? And if Henry decided to download a new app to his phone, or worse my phone, would that app company then have backdoor access to all of the phone’s data?

Let’s say that you enjoy working out and monitor your heart rate on a fitness app. The company that built the app now has access to your personal information. Do you have any idea what exactly they are allowed to do with it? Perhaps they could sell that data to your health insurance company — who could, in turn, charge you more if they think that you don’t exercise enough.

Now, imagine if a tech company had a way to determine if a person is low-income or has a poor credit score. Maybe they go ahead and sell that data to a third party — and, before you know it, the next time that person opens their browser, they’re being served ads for predatory payday lending schemes.

It’s clear that lawlessness in the data privacy space can give rise to new, unexpected forms of injustice.

The tech giants — Google and Facebook among them — have been the clear winners of our transition to the digital age. These companies have built major empires of data with information about our private lives. They’re processing that information with increasingly complex and sophisticated algorithms. And they’re making a whole lot of money off of it.

Meanwhile, major data breaches have occurred at banks and credit rating agencies. Take, for example, the recent Equifax breach. Equifax collected sensitive credit data from hundreds of millions of Americans, but failed to safeguard it, which allowed hackers to steal and expose this information. To this day, Equifax has faced few consequences and little accountability for what happened — and the losers of that breach? The millions of Americans whose information was compromised.

We have also seen bad actors use powerful data collection and processing techniques to target older Americans and other vulnerable citizens through robocalls and misinformation scams.

All of this is worth pause and concern as American consumers invite new voice-activated assistants into their homes and let AI systems take control of their SUVs. Even the savviest consumers of technology cannot fully understand how companies use their data, where their data goes, how far they are willing to go to profit from that data, and whether their business practices encroach on their privacy and freedom.

Moreover, companies have declared that this data is theirs for the taking, and they’ve repeatedly rejected responsibility and accountability for the greater impacts of any bad behavior.

Data has been called “the new oil.” Companies are rushing to explore and refine it, ignoring regulations, putting profits above responsibility, and treating consumers as little more than dollar signs. Like the oil boom, little thought is being given to the long-term consequences.

So as we stare down the barrel of threats from foreign adversaries trying to target personal data in consumer households, businesses, and government agencies, the data privacy space remains a complete and total Wild West. And that is a huge problem.

The U.S. Needs a Data Protection Agency.

The United States must make an effort to take the lead and do something about data protection.

The Data Protection Act would address this head-on. My legislation would establish an independent federal agency, the Data Protection Agency, that would serve as a “referee” to define, arbitrate, and enforce rules to defend the protection of our personal data.

This agency would have three core missions:

1. Give Americans control and protection over their own data by enforcing data protection rules.

  • The agency would enforce privacy statutes and rules around data protection, either as authorized by Congress or themselves. It would use a broad range of tools to do so, including civil penalties, injunctive relief, and equitable remedies.
  • The agency would also take complaints, conduct investigations, and inform the public on data protection matters. So if it seems like a company is doing bad things with your data, the Data Protection Agency would have the authority to launch an investigation and share findings.

2. Work to maintain the most innovative, successful tech sector in the world and ensure fair competition within the digital marketplace.

  • The agency would promote data protection and privacy innovation across sectors, developing and providing resources such as Privacy Enhancing Technologies (PETs) that minimize or even eliminate the collection of personal data.
  • The agency would ensure equal access to privacy protection and protect against “pay-for-privacy” or “take-it-or-leave-it” provisions in service contracts — because privacy, including online privacy, is a right that should be enforced.

3. Prepare the American government for the digital age.

  • The agency would advise Congress on emerging privacy and technology issues, like Deepfakes and encryption. It would also represent the United States at international forums regarding data privacy and inform future treaty agreements regarding data.

The United States is vastly behind other countries on this. Virtually every other advanced economy has established an independent agency to address data protection challenges, and many other challenges of the digital age.

After we were attacked on September 11, 2001, we realized that our country needed a government agency whose mission was to focus on our country’s national security — we then established the Department of Homeland Security. Today, we face another crossroads. As our country and economy continue to evolve with the digital age, we face a national crisis as our personal data gets targeted — and not just for marketing by brands, but also to establish if we can access certain jobs, loans, or prices on products. Americans should be able to go to an institution that will look out for, and actively work to protect, their privacy and freedom. So let’s take this important step forward and create an agency whose sole focus is to do just that.



Sen. Kirsten Gillibrand

United States Senator for New York. Official Senate Medium account.