Last week, the Republican members of the Senate Commerce Committee, including the chair of the committee, Roger Wicker, introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (“the Safe Data Act”). Last November, Senator Wicker had a working draft called the United States Consumer Data Privacy Act of 2019. The Safe Data Act resembles the 2019 proposal in most ways but includes a few significant changes.
Like the United States Consumer Data Privacy Act, the Safe Data Act provides the consumer rights that have been granted in the California Consumer Privacy Act (“CCPA”) and the GDPR, such as the rights to access, notice, deletion, opting-out, and correction as well as a right to data portability. The Safe Data Act also prohibits covered entities from discriminating against consumers who utilize some of the proposed rights. Organizations would be prohibited from denying goods or services to an individual because the individual exercised any of the rights afforded by the Bill.
The Safe Data Act is also aligned with its predecessor proposal in including requirements for companies to obtain affirmative express consent before processing or transferring individuals’ sensitive data. This bill partially incorporates some principals provided in the GDPR, such as requiring data minimization to large data-holding companies. This minimization would apply to all data collected, processed, and retained. Unlike Senator Wicker’s proposal last year, the non-discrimination provision only applies when an individual exercises the rights of access, correction, and portability. This bill also removes an exception provided in the previous proposal to retain and use data for internal purposes (research, service improvements, etc.).
The Safe Data Act finances the implementation of the bill through a $100 million appropriation to the Federal Trade Commission (“FTC”) to enforce the bill’s provisions. The FTC would gain the authority to impose injunctions and other equitable remedies for violations.
The Safe Data Act incorporates other bill provisions into the proposal as well. For example, the Safe Data Act integrates the Filter Bubble Transparency Act notice requirement on a public-facing website or mobile application using algorithmic ranking systems. Further, the Safe Data Act includes provisions from the Deceptive Experiences To Online Users Reduction (“DETOUR”) bill (a bipartisan proposal) which makes it unlawful for an online service with more than 100 million authenticated users to use a user interface to impair user autonomy. Like DETOUR, the Safe Data Act includes children protections such as banning user interfaces from purposefully targeting children to cultivate compulsive use.