New Privacy Bill Proposed: American Data Dissemination Act for Privacy

Senator Marco Rubio (R-FL) introduced a new federal privacy bill into the U.S. Senate today called the American Data Dissemination Act (ADD Act). If adopted, the privacy law would provide a path forward for Congress to guarantee constituents implementation of additional privacy protections across the country, despite the diverse set of opinions expressed in the many privacy bills that have already been introduced into the U.S. Congress.

The ADD Act requires the Federal Trade Commission (FTC) to provide a proposal of privacy requirements, aimed at online businesses, to Congress within six months. If Congress does not act on the recommendations within two years, the FTC has the authority to issue final rulemaking on its recommendations.

Congress would ask the FTC for recommendations that would create a scheme substantially similar to the requirements on federal agencies under the Privacy Act of 1974. This Privacy Act still governs the collection, use, maintenance and sharing of personally identifiable information (PII) by federal agencies, and would need to be adapted to private companies by the FTC.

The proposed law would apply broadly to services that use the internet and collect records. “Records” are defined by the law to mean any item or collection of information about an individual which contains an item that can be used to identify an individual.

The American Data Dissemination Act directs the FTC to offer certain data subject access rights. These include the right to access data records as well as provide a record of disclosures of records relating to the individual. It would also provide for an avenue to correct inaccurate information, as well as to dispute determinations that the information was accurate and no change was needed.

The FTC would also need to restrict third-party data sharing as part of its proposed regulation to Congress.

The ADD Act would require the FTC to establish criteria to exempt certain small businesses by taking into account their period of operation, annual revenue, and the number of individuals they are collecting data on. For those entities already regulated by HIPAA or the Family Educational Rights and Privacy Act of 1974, they would continue to be regulated by those laws and would be excluded from regulation under the ADD Act. If there proves to be a conflict between the regulations developed under the ADD Act and either the Children’s Online Privacy Protection Act (COPPA) or the Gramm-Leach-Bliley Act (GLBA), the FTC would determine which rule governs. The bill also provides for federal preemption of certain state privacy regulations.

Violations would be enforced as an unfair or deceptive act under the section 5 powers of the FTC. Section 5 gives the FTC its current authority to bring enforcement actions against companies for violations of their promises regarding privacy practices.

The bill is being introduced without cosponsors. Several other proposed bills on privacy are expected in the next few months, including one backed by Senator John Thune (R-SD), Chair of the Senate Commerce Committee. Last year, there were more than a half dozen bills introduced to regulate corporate privacy practices between the House and Senate.

It is unclear to what effect the shutdown could delay the government’s efforts in this regard. For example, the National Institute of Standards and Technology (NIST) has been working on a voluntary Privacy Framework modeled after the voluntary Cybersecurity Framework, but it is impacted by the government shutdown. The FTC has also been holding a series of public hearings on competition and consumer protection in the 21st Century, which specifically included an examination of the FTC’s authority to deter unfair and deceptive conduct in data security and privacy matters. Work on those matters seems likely to also be on hold due to the shutdown.

Clarip is following closely the progress on new privacy regulations in the United States and Europe, from implementation of the California Consumer Privacy Act (CCPA) to the ePrivacy Regulation (ePR) under consideration in the European Union. For assistance in preparing your organization for enhanced privacy practices, please call Clarip at 1-888-252-5653.

Other Blog Posts on Privacy Bills in the US Senate:

Data Care Act – 15 Senate Democrats led by Senator Schatz
Consumer Data Protection Act – Draft by Senator Wyden
Senator Thune Privacy Bill
8 Proposals on Privacy from Draft Senate Policy Paper
Social Media Privacy and Consumer Rights Act introduced into Senate
Senate to Consider CONSENT Act for Enhanced Privacy Protections Online
Do Not Track Kids Act Back in Congress

Contact Clarip for Help with Your Privacy Program

The Clarip privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping automation, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie management software, Clarip can help strengthen your privacy program.

If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR software, or provide the right to opt out of the sale of personal information with our consent management platform.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.