We are back in the US federal privacy bill game!

Sen. Roger Wicker, a Mississippi Republican, has re-introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act,” also known as the “SAFE DATA Act.”

Here are some key takeaways:

  • Employee and publicly available data are excluded
  • The concept of “sensitive covered data” is broader than GDPR special category data, and includes precise geolocation data, content of personal communications and account log in credentials.
  • There is a prohibition on discrimination for the exercise of consumer rights.
  • There is mandatory privacy policy disclosing the identity of the covered entity, categories of data, processing purposes, data transfers, individual rights, data security practices and data retention practices.
  • Requires prior and direct notification to the individual of a material change in the policy.
  • Right of access (within 90 days), as well as right of correction, of deletion and of portability.
  • Exceptions to rights include: that it’s impossible or demonstrably impractical to comply, results in the release of a trade secret or requires disproportionate effort.
  • Allows the option under certain circumstances to delete instead of provide access.
  • Requires the enactment of regulations within 1 year.
  • Requires individual consent to process or transfer sensitive covered data and opt out re: processing or transfer (other than some exceptions).
  • Limits collection to what is reasonably necessary proportionate and limited to provide the product or service or reasonably anticipated.
  • Requires notice and opt out for data sharing as part of bankruptcy proceedings.
  • Requires due diligence before engaging a service provider or transferring data.
  • Requires a privacy impact assessment for any processing activity involving heightened risk.
  • Certain exceptions for small businesses.
  • Requires study of algorithmic transparency.
  • Requires registration of data brokers.
  • Requires reasonable administrative, technical and physical information security policies.
  • Requires designation of data privacy officer and data security officer.
  • Requires internal controls and reporting structures to ensure that appropriate senior management officials of the covered entity are involved in assessing risks and making decisions for compliance.
  • Enforcement would be by the FTC as an unfair or deceptive act or practice.
  • Civil actions by state Attorney Generals would be possible.
  • Contemplates voluntary certifications for compliance with provisions of the Act.
  • Preempts all state privacy laws other than re: data breach notification.
  • Carves out certain federal laws (like COPPA, GLBA etc), which would not be preempted.