Home Home About Us Practice Areas Our Attorneys Press & Publications Events Diversity Pro-Bono Careers
FOLLOW US:

Digital Media, Technology & Privacy Alert >> Federal Privacy Law Getting Closer — “SAFE DATA Act” Introduced

October 2, 2020

A group of Republican Senators recently introduced the “Setting an American Framework to Ensure Data Access, Transparency and Accountability Act” (SAFE DATA Act) in the latest attempt at passing the first comprehensive federal data privacy law in the United States. The SAFE DATA Act combines provisions from previous data privacy bills supported by the Republican Senators, including the Filter Bubble Transparency Act, the DETOUR Act and the BROWSER Act. 

When introducing the bill, the SAFE DATA Act’s sponsors, emphasized the importance of having a federal law which would provide individuals more control and transparency over the use of their personal data, especially in the light of increased online activity due to COVID-19.

The SAFE DATA Act
The SAFE DATA Act is based on a draft bill released in November 2019, then called the United States Consumer Data Privacy Act. The SAFE DATA Act applies to “covered entities” that collect, process or transfer “covered data”. “Covered entities” include any entity regulated by the Federal Trade Commission (FTC), common carriers or non-profits. “Covered data” (which is similar to personal information in other laws) is broadly defined as “information that identifies or is linked or reasonably linkable to an individual or a device that is linked or linkable to an individual” and does not include aggregated data, de-identified data, employee data or publicly available information. The Act exempts some small businesses from complying with certain requirements for covered entities.

The Act contains many elements found in the California Consumer Privacy Act (CCPA), data broker registration laws plus new obligations. 

Key elements of the SAFE DATA Act include requirements for covered entities to:

  • Obtain express affirmative consent before processing or transferring an individual’s sensitive covered data or the covered data of minors. “Sensitive covered data” includes government-issued IDs, health data, financial data, biometric information, persistent identifiers, contents of private communications, account log-in credentials, race or ethnic origin and sexual orientation or any online activity that would reveal such information. The FTC would also have authority to make new categories of sensitive data.
  • Provide individuals with the right to opt-out of the collection, processing or transfer of the individual’s covered data.
  • Provide individuals the right to access, correct, delete or transfer their covered data and not discriminate against users who exercise such rights.
  • Publish transparent privacy policies provided to users prior to or at the point of collecting their covered data that discloses the categories of data being collected, the purpose for collection, if any such data is transferred, for what purpose such data is transferred and the categories of recipients, data retention policies and a description of the user’s rights under the Act.
  • Minimize data collection, processing and retention to what is reasonably necessary and proportionate to provide its services or products in accordance with its privacy policy or federal law.
  • Register with the FTC if they are data brokers.
  • Maintain reasonable administrative, technical and physical data security policies and practices to protect covered data.
  • Appoint data privacy and security officers.
  • Conduct annual privacy impact assessments if they are large data brokers.
  • For covered internet platforms that use opaque algorithms that select content for users, notify the user that their data is being used for this purpose and also offer the choice to use input-transparent algorithms instead.
  • For large online operators, not to use interfaces to undermine user autonomy, decision-making or choice when collecting user data or obtaining consent to do so; not place users in segments for psychological or behavioral research without consent; and not use interfaces that encourage compulsive usage among users under 13 years old.

Perhaps most importantly, the SAFE DATA Act would preempt any state law, regulation, rule, requirement or standard related to data privacy or data security, with the exception of data breach laws, and does not provide a private right of action — both of which are contested in federal data privacy legislation proposed by Democratic lawmakers. The Act would be enforced by the FTC or State Attorneys General.

Shortly after introducing the SAFE DATA Act, Senator Roger Wicker convened a Senate hearing on data privacy titled “Revisiting the Need for Federal Data Privacy Legislation,” where witnesses stressed the urgency of passing a federal data privacy law. Speakers highlighted that in a post-pandemic world, sensitive and personal data is increasingly being collected as our reliance on remote interactions has increased. 

Although the SAFE DATA Act is a closer step towards the comprehensive federal data privacy law that has been in the works for years, it is unclear whether the Act will accelerate the process.

The Bottom Line

The lack of a federal privacy law has led to compliance challenges for companies, inconsistency between States, tension with the EU and a plea for a resolution. While that time has not yet arrived, and this may not be the final bill, a federal privacy law is closer to reality. Until then, the compliance challenges continue.