New Senate Privacy Bill: Digital Accountability and Transparency to Advance (DATA) Privacy Act

Senator Cortez Masto (D-NV) has introduced a new federal data privacy bill into the US Senate that calls on the Federal Trade Commission (FTC) to develop significant regulations to protect individuals through data subject access rights, consent requirements, cybersecurity data protections, required privacy policy disclosures. It is called the Digital Accountability and Transparency Act to Advance Privacy Act, or the “DATA Privacy Act” for short.

The law would apply to entities that collect, process, store or disclose covered data on 3,000 or more individuals and devices during any 12 month period. It requires:

Covered entities are required to post a concise, easily understandable, accurate and updated privacy policy. This privacy policy disclosure will include the covered data collected, processed and stored; the purposes of the data; the persons and entities to whom the data has been disclosed (and the purposes); and the methods to exercise the individual rights provided by the law.

(more information below photo)

The FTC shall promulgate regulations within one year that requires businesses to have practices that meet certain minimum standards for data processing including reasonable, equitable (non-discriminatory), and forthright (non-deceptive). Additional regulations would cover affirmative consent for sensitive data and data for purposes outside the context of the relationship between the covered entity and the individual, and opt out consent for other covered data collection, processing, storage or disclosure. The law would also require covered entities to meet data minimization requirements specified by the FTC, including reasonable measures to limit the collection, processing, storage and disclosure to the amount necessary.

The above FTC regulations would not apply if the limitations would (1) inhibit detection or prevention of a security risk/incident; (2) risk the health, safety or property of the covered entity or individual; or (3) prevent compliance with a law, regulation or legal process.

Individual Rights / Data Subject Access Rights: The FTC would also be required to issue regulations on the right to access, the right to correct, the right to delete and the right to data portability.

Cybersecurity: The FTC would be tasked with developing regulations to require covered entities to establish and implement information security practices for the treatment and protection of covered data.

Privacy Protection Officers: Covered entities with annual revenue over $25 million the prior year would need to designate a privacy protection officer to educate and train employees, conduct regular audits to ensure compliance, maintain records of data security practices, serve as a point of contact with enforcement authorities, and advocate for policies and practices that promote individual privacy.

The law would be enforced by the FTC as an unfair or deceptive act or practice under its Section 5 authority, as well as civil actions on behalf of the residents of a state by the Attorneys General. It would authorize the FTC to appoint up to 300 additional personnel to enforce the privacy and data security laws and regulations.

Other Relevant Posts:

Proposed Senate Privacy Bill of Rights Act Includes Private Right of Action
New Senate Privacy Bill: Own Your Own Data Act Summarized
Summary of Latest Senate Bill to Amend COPPA
New Federal Privacy Bill: Commercial Facial Recognition Privacy Act
Privacy Law News: Senate Banking & Commerce Committees, GAO, California Data Dividend

More Resources:

Ready for the new California privacy law coming on January 1, 2020? Learn more about CCPA compliance and contact us to see a demo of the Clarip privacy management platform used by Fortune 500 clients.