13 Oct U.S. National Privacy Legislation Introduced: The SAFE DATA Act
Written by: Richard Sheinis, Esq.
Sen. Roger Wicker, R-Miss., along with three other Republican senators who are members of the Senate Commerce Committee, has introduced yet another national privacy legislation bill, known as the SAFE DATA Act. The full name of the bill is the “Setting an American Framework to Ensure Data Access, Transparency and Accountability Act.” (As usual, I think legislators select an acronym they like, and then think of a name for the act that will support the acronym.)
The Act combines elements of previously introduced privacy legislation to put forth a single, more robust and comprehensive privacy bill and would provide Americans with more choices and control over their data. In addition, the Act would hold businesses accountable for their data practices and require them to be more transparent about how they use data. The bill also would set a nationwide standard, preempting state laws that regulate data security and privacy.
The main components of the Act include the following:
- INDIVIDUAL CONSUMER DATA RIGHTS – These are the usual data rights we have become accustomed to seeing in legislation such as General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). These rights provide consumers with greater individual control over their personal data, and require transparency as to the use of data, while minimizing data collection, processing and retention. The Act gives individuals the opportunity to see, correct or delete data collected on them by businesses and prohibits businesses from refusing to provide goods or services to people who do not agree to their privacy policies.
- DATA TRANSPARENCY, INTEGRITY AND SECURITY – This section is more forward looking than previous privacy legislation and requires transparency as far as algorithms used to process data and data security This section incorporates other bill provisions into the proposal including the Filter Bubble Transparency Act. Filter bubble transparency involves providing notice about the algorithm used to make inferences about a consumer based on user-specific data to select the content the user sees. The Act also incorporates provisions from the Deceptive Experiences to Online Users Reduction (DETOUR) bill, a bipartisan proposal that makes it unlawful for an online service with more than 100 million authenticated users to use a user interface to impair user authority. Like DETOUR, the bill includes protections for children such as banning user interfaces from purposefully targeting children to cultivate compulsive use.
- CORPORATE ACCOUNTABILITY – Businesses are required to disclose data-handling practices in their privacy policies and to conduct Privacy Impact Assessments on high-risk processing activities. In addition, businesses are required to designate a data privacy officer and a data security officer, as well as establish internal controls and whistle-blower protections. Appropriate mechanisms should be implemented to handle consumer inquiries or complaints regarding the business’ personal data practices.
- ENFORCEMENT AUTHORITY – The SAFE DATA Act is enforced by the Federal Trade Commission (FTC) but can also be enforced by state Attorneys General. Although there is no provision for a private right of action, state Attorneys General may bring a civil action to obtain damages, civil penalties, restitution and other compensation on behalf of residents of the state. Importantly, the Act preempts any state law or regulation related to the data privacy or data security and associated activities of covered businesses. The Act also includes a section that explicitly prohibits state legislatures from passing new privacy or data security laws, or from enforcing existing laws. The clause does not apply to state data-breach notification laws.
The bill also requires the FTC to create and maintain a registry of data brokers. Like other pending bills, the SAFE DATA ACT does not cover federal government agencies. The Act finances the implementation of the bill through a $100 million appropriation to the FTC for enforcement of the bill’s provisions. The FTC would gain the authority to impose injunctions and other equitable remedies for violations.
Points of contention between Republicans and Democrats are the same as we see in almost all proposed federal privacy legislation, that is, the lack of a private right of action and preemption of state privacy law. The looming question, now that the Act has been added to the list of proposed federal privacy legislation, is when will Congress ever act on any of the proposed legislation? It is unlikely that there will be any movement on the legislation this year; however, Congress is in a much better position to legislate on data privacy in 2021.
FAQs About the SAFE DATA ACT
Q. How is the SAFE DATA ACT different from previously introduced privacy legislation?
Ans. The new bill is actually a conglomeration of three previously introduced legislative proposals: the U.S. Consumer Data Protection Act, the Filter Bubble Transparency Act and the Deceptive Experiences to Online Users Reduction Act (DETOUR). Combining these three independent bills brings the strongest piece of privacy legislation put forth to date.
Q. What are some of the key new requirements included in the legislation?
Ans. The SAFE DATA ACT would expand the definition of what is considered to be sensitive data and would require businesses to enact data security standards in addition to existing privacy standards. Businesses would need to name a both a privacy and a data security officer.
Q. What is the new algorithmic ranking system included in the SAFE DATA ACT?
Ans. The algorithmic ranking system determines how content can be presented to consumers and establishes regulations for the manipulation of user interfaces to prevent deceptive practices that coerce consumers into providing personal data. The bill would require online platforms to be transparent about their use of secret algorithms.
Q. How would the Act provide more protection to consumers?
Ans. The Act would require that businesses allow consumers the ability to access, correct, delete or port their data and would also prohibit businesses from processing or transferring consumers’ sensitive data without their consent. Businesses would be prohibited from denying consumers products or services for exercising their privacy rights. The Act also limits the amount of consumer data businesses can collect, process and retain.
Q. How would the SAFE DATA ACT help businesses?
Ans. The Act would provide a national framework for businesses that makes it easier to compete globally. Many other countries have enacted similar privacy laws. This legislation could work in conjunction with other global privacy laws, including the General Data Protection Regulation (GDPR) in the European Union and European Economic Area.