
We are back in the US federal privacy bill game!
Sen. Roger Wicker, a Mississippi Republican, has re-introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act,” also known as the “SAFE DATA Act.”
Here are some key takeaways:
- Employee and publicly available data are excluded
- The concept of “sensitive covered data” is broader than GDPR special category data, and includes precise geolocation data, content of personal communications and account log in credentials.
- There is a prohibition on discrimination for the exercise of consumer rights.
- There is mandatory privacy policy disclosing the identity of the covered entity, categories of data, processing purposes, data transfers, individual rights, data security practices and data retention practices.
- Requires prior and direct notification to the individual of a material change in the policy.
- Right of access (within 90 days), as well as right of correction, of deletion and of portability.
- Exceptions to rights include: that it’s impossible or demonstrably impractical to comply, results in the release of a trade secret or requires disproportionate effort.
- Allows the option under certain circumstances to delete instead of provide access.
- Requires the enactment of regulations within 1 year.
- Requires individual consent to process or transfer sensitive covered data and opt out re: processing or transfer (other than some exceptions).
- Limits collection to what is reasonably necessary proportionate and limited to provide the product or service or reasonably anticipated.
- Requires notice and opt out for data sharing as part of bankruptcy proceedings.
- Requires due diligence before engaging a service provider or transferring data.
- Requires a privacy impact assessment for any processing activity involving heightened risk.
- Certain exceptions for small businesses.
- Requires study of algorithmic transparency.
- Requires registration of data brokers.
- Requires reasonable administrative, technical and physical information security policies.
- Requires designation of data privacy officer and data security officer.
- Requires internal controls and reporting structures to ensure that appropriate senior management officials of the covered entity are involved in assessing risks and making decisions for compliance.
- Enforcement would be by the FTC as an unfair or deceptive act or practice.
- Civil actions by state Attorney Generals would be possible.
- Contemplates voluntary certifications for compliance with provisions of the Act.
- Preempts all state privacy laws other than re: data breach notification.
- Carves out certain federal laws (like COPPA, GLBA etc), which would not be preempted.