Latest National Data Privacy Legislation Aims to Protect Consumer Data
Legislation introduced last week would establish national data privacy standards, mirror elements of the CCPA and require companies to use high-quality data protection standards.
It's rare that a month goes by these days without a politician introducing yet another form of legislation designed to help strengthen data privacy protection measures for consumers.
True to form, last month saw yet another act launched, the Digital Accountability and Transparency to Advance (DATA) Privacy Act.
Reintroduced by Sen. Catherine Cortez Masto (D-Nev.) late last week, the bill would require companies that collect large amounts of personal data to use "high-quality data protection standards" for any processing, storage and disclosure. The last version of the Cortez Masto bill came in February 2019.
Businesses would have to ensure that data is being used for a legitimate business or operation purpose, one that doesn't open the door to a further privacy risk, like having data used deceptively or in targeting (think race- or age-based).
if there isn't already a role overseeing data collection, the bill would lso require companies appoint a Privacy Protection Officer.
Similar to the California Consumer Privacy Act, Cortez Masto's bill would allow consumers to request, dispute the accuracy, and transfer or delete their data. The same concept is also present in the California Privacy Rights Act or CPRA, which is set to supersede CCPA in 2023, along with the Virginia Consumer Data Protection Act or VCDPA, which was passed earlier this year and goes into effect in 2023, too.
Also like the CCPA, the bill would give consumers the option to opt out of personal data collection and require their opt-in consent when sensitive information is collected or disclosed "outside of the parameters of the businesses’ relationship with the consumer."
The bill would empower state Attorneys General and the Federal Trade Commission to hand out civil penalties for violations. It would also expand the National Science Foundation’s research into privacy-enhancing technology or PET, an idea previously floated by Cortez Masto and Deb Fischer (R-Neb.) in 2020's Promoting Digital Privacy Technologies Act. That bill, for those keeping track, was reintroduced in the Senate again in 2021 but hasn't moved since being referred to the Committee on Commerce, Science, and Transportation in February.
With so many data privacy bills getting introduced and reintroduced this year and last, it's hard to see this Cortez Masto bill moving forward either but as is the case with all legislation, we’ll have to wait and see.
Proposed legislation to this point has faced repeat hurdles: The question of whether a federal framework would preempt state legislation already on the books, like that in California, Virginia, and Colorado, and whether an individual can sue a company if their data winds up getting breached by a company, also known as a Private Right of Action.
As the International Association of Privacy Professionals notes, Cortez Masto's bill has no private right of action and wouldn't pre-empt state privacy laws.
Cortez Masto's bill comes a week after the Federal Trade Commission released a findings of a study on data collection practices and shared that internet service providers collect a "staggering" amount of detailed data on consumers.
Specifically, FTC Chair Lina Khan said companies are "surveilling" consumers and collecting a "staggering array of data.” While this likely isn't a surprise if you've been paying attention, less alert consumers might be concerned with the level of data - web browsing, television viewing, geolocation data, and email data - the companies have collected over the years.
“Big technology companies shouldn’t be gathering mountains of consumers’ data without their knowledge and consent,” Cortez Masto said of her bill last week, “This legislation will require major corporations to put data protection and transparency first while also protecting American consumers from having their data used without their permission.”