Washington, D.C. – U.S. Senator Catherine Cortez Masto (D-Nev.) today introduced the Digital Accountability and Transparency to Advance (DATA) Privacy Act. The DATA Privacy Act strengthens data privacy protections for American consumers while also ensuring corporations are focusing on implementing new data security standards and essential privacy protections. This legislation also increases research into technologies that protect Americans’ privacy and shields small businesses from unnecessary regulation.
“From my time as Nevada’s Attorney General, I’ve fought for consumers who’ve been harmed by data breaches at major companies and defrauded by scammers who stole their data,” said Cortez Masto. My legislation takes a proactive approach to protecting consumer data by ensuring Americans have a voice in how their consumer data is used. This bill requires companies put data protection and transparency first, while also requiring Congress and our government agencies step up to make the private data of consumers in Nevada, and across the country, a priority for protection. I’m proud to introduce this legislation with my colleagues and will continue this fight to strengthen consumer privacy and data security.”
“Protecting the privacy of Nevadans is a paramount concern and I applaud Senator Cortez Masto’s efforts in this initiative,” said Nevada Attorney General Aaron Ford.
BACKGROUND:
The United States currently has no comprehensive law designed to protect data privacy despite numerous recent instances of security breaches and abusive behavior by online companies. Senator Cortez Masto’s Digital Accountability and Transparency to Advance (DATA) Privacy Act strengthens data privacy protections, fosters the use of new data security and privacy protection best practices, and holds major corporations that handle consumer data accountable without placing unnecessary burdens on small businesses. This legislation focuses on six key areas:
Data Protection:
- The DATA Privacy Act requires businesses provide users with reasonable access to a method to opt-out.
- The legislation requires three simple standards be applied to all data collection, processing, storage, and disclosure:
- Reasonable: Must be for a legitimate business or operational purpose that is contextual and does not subject an individual to unreasonable privacy risk.
- Equitable: Data practices may not discriminate against protected characteristics, including political and religious beliefs.
- Forthright: Businesses cannot engage in deceptive data practices.
- The bill requires opt-in consent in two circumstances:
- Collecting or disclosing sensitive data such as genetic, biometric, or precise location data.
- Disclosing data outside of the parameters of the businesses’ relationship with the consumer.
Transparency:
- The DATA Privacy Act will mandate those businesses that collect personal data on more than 3,000 people a year be required to provide access to a privacy notice that is concise, understandable to consumers and that accurately describes their privacy policies.
Consumers Control Their Data:
- This legislation allows consumers to request, dispute the accuracy, and transfer or delete their data without retribution in the form of price or service discrimination by companies.
Data Security Standards:
- The DATA Privacy Act requires companies collecting data on more than 3,000 people a year to prioritize protecting consumer data through technological, administrative, and physical means based on the privacy risk while ensuring small businesses are protected from onerous requirements and unnecessary regulations.
Privacy Protection Officers:
- This bill requires companies collecting data on more than 3,000 people a year with revenues in excess of $25 million per year to appoint a Privacy Protection Officer to institute a culture of data and privacy protection at companies and to train staff at relevant companies.
Promoting Privacy Enhancing Innovations in Technology & Oversight:
- This legislation expands the National Science Foundation’s cybersecurity research into privacy enhancing technology.
- The DATA Privacy Act also provides new authorities to State Attorneys General and the Federal Trade Commission by allowing them to levy civil penalties for violations.
Full text of the bill is available here.