This bill establishes the "You Own the Data Act" (YODA) to grant users ownership over their data, restrict its sharing without consent, mandate user access and deletion rights, and impose strict limits on data collection and retention by covered entities.
Michael Cloud
Representative
TX-27
The You Own the Data Act (YODA) establishes that users own the data they create and grants them significant rights over how it is collected, used, and shared by commercial entities. This bill prohibits sharing user contacts without explicit written consent and mandates that companies provide users with access to, correction of, and the ability to delete their collected data. Furthermore, it imposes strict limits on data retention, requires clear privacy notices, and establishes enforcement mechanisms through the FTC, State Attorneys General, and a private right of action.
New 'You Own the Data Act' Gives You Control Over Your Digital Footprint, Starting with Data Access and Deletion Rights
Alright, let's talk about the 'You Own the Data Act' (YODA), because who doesn't want to feel like a Jedi master of their own information? This bill is a serious game-changer for anyone tired of feeling like their personal data is floating around the internet without their say-so. Basically, YODA says that your data is your property, and it's putting some muscle behind that idea.
Taking Back Your Contacts
Ever sign up for an app and it immediately asks to scan your contacts, then suddenly your friends are getting weird invites? YODA aims to put a stop to that. Under this bill, it would be flat-out illegal for companies to ask you to share your contacts or any info about them unless both you and each individual contact give written consent. Think about that for a second: no more surprise connections or unwanted spam for your buddies just because you downloaded a new game. It’s a pretty big step toward respecting not just your privacy, but the privacy of everyone in your phone book.
Your Data, Your Rules: Access, Correct, Delete
This is where YODA really flexes. If this passes, you'd get some serious power over your digital self. Companies would have to give you, within 90 days of a verified request, a full rundown of every third party and service provider they've shared your data with. Imagine knowing exactly who has your info and why. You'd also get a readable summary of your own data, the ability to correct any inaccuracies (finally!), and the right to request that your data be deleted or de-identified. And get this: they have to give you your data in a portable, machine-readable format, free of charge, at least twice a year. No more feeling like your data is locked away in some digital vault you can’t open. For small business owners, this means more transparency about customer data, which can build trust, but also a new set of compliance requirements to manage.
No More Data Hoarding
One of the coolest parts for everyday folks is the data retention limits. For sensitive stuff like your browsing history or biometric data (think facial recognition scans or fingerprints), companies would have to delete that within 60 days of collecting it. That’s a huge win for privacy, as it means less of your most personal digital crumbs are left lingering indefinitely. For commercial data operators, this means rethinking their data storage strategies and ensuring they have robust deletion protocols in place.
What's 'Reasonably Necessary' Anyway?
YODA also introduces a concept called 'data minimization.' This means companies can only collect and share information that's 'reasonably necessary' to provide a service you asked for or for fraud prevention. Here's the kicker: monetization of your personal information is explicitly not considered 'reasonably necessary.' This is a big deal, as it aims to stop companies from hoovering up every bit of data just to sell it off. However, the term 'reasonably necessary' itself could be a bit of a gray area. What one company deems necessary, you might see as overkill. It will be interesting to see how that gets interpreted in practice, but the intent is clearly to rein in the data free-for-all.
Opting Out and Staying Safe
Under YODA, every website, mobile app, or computer app would need to display a prominent icon allowing you to opt out of data collection. And within two years, companies would need to make it easy for you to directly delete your collected data. For parents, there's a crucial protection: companies can't collect, retain, or transfer data from anyone under 18 without affirmative consent from a parent or guardian, where technically feasible. That 'technically feasible' bit is important, as it acknowledges the challenges but sets a high bar for protecting kids. Plus, no more tracking cookies unless you say so, and companies can’t deny you service if you opt out.
When Things Go Wrong
Finally, if there’s a data breach involving your information, companies would have to notify you in a timely manner and provide remedies like credit protection and fraud alerts. No more finding out about a breach months later. The Federal Trade Commission (FTC) and state attorneys general would be on the hook for enforcing this, and here’s the best part for you: if a company with over $50 million in annual revenue violates your rights, you could potentially sue them directly for $100 to $750 per violation, plus legal fees. That’s a real incentive for companies to get their act together. While this private right of action is great, it’s worth noting that smaller businesses are exempt from individual lawsuits, so the FTC and state AGs would be the sole enforcers there.