In the wake of House and Senate hearings this week on data privacy, Sen. Catherine Cortez Masto (D-Nev.) has introduced the Digital Accountability and Transparency to Advance Privacy (DATA Privacy) Act.
The new bill is sweeping legislation that would not only attempt to simplify the privacy policies that most agree are too lengthy and complicated, and some Democrats argue allow edge providers and others to bury the lead as it were so that users will overshare, but require the FTC to adopt rules on everything from preventing advertising discrimination to disallowing mics like the ones in Google's Nest security device.
The bill would require covered entities (see below) to post in an "accessible location" a notice that is "in context, concise, in easily understandable language, accurate, clear, timely, updated, uses visualizations where appropriate, conspicuous, and free of charge regarding the covered entities privacy practices."
Related: Could Preemption Preempt Bipartisan Privacy Legislation
Covered entities are anyone who "collects, processes, stores, or discloses covered data," though with a carve-out for data relating to fewer than 3,000 individuals in any 12-month period.
Covered data includes both on and offline data linked to an individual or device associated with an individual or "practicably" linked to an individual or device by combination with other information (building user profiles via various data sources, for example). It does not include data for the purposes of employment or available in public government records.
The policy must also describe the data and where it came from if the covered entity is a third party that did not collect the data, why it was collected, to whom it is being disclosed and why, and provide a "Conspicuous, clear and understandable" way to The Federal Trade Commission would also be required to create a host of rules (it currently has limited rulemaking authority), including mandating that the data be "reasonably" related to the interest of the covered entity and cannot result in discrimination against a protected class.
The bill would require opt-out opportunities for some data collection and opt-in requirements for others, including sensitive personal data, but also any data not used "to provide, improve, or market a good or service that the individual requests."
That would appear to mean an opt-in regime for targeted advertising, unless that was interpreted as providing the service because without ads, the site providing the service couldn't provide it.
In any event, the Cortez Masto bill appears far from a compromise on privacy legislation both sides say they are looking for, but would still need to bridge a political divide.
Public Knowledge, which is pushing for strong privacy rules and regs, found it a mixed bag.
The following can be attributed to Dylan Gilbert, Policy Fellow at Public Knowledge:
“There is much to like in Sen. Cortez Masto’s DATA Privacy Act, including requirements for plain-language privacy notices, data minimization mandates, and grants of authority to the Federal Trade Commission and state Attorneys General to bring civil penalties against first-time privacy offenders," said Dylan Gilbert, policy fellow at Public Knowledge. That fining authority is something that both Democrats and Republicans could likely support, as well as the clearer disclosures, points made by both sides in this week's hearings. "Importantly, this bill also moves beyond the notice and consent focus of many past privacy bills to include outright bans on data practices likely to result in unfair discrimination against a broad range of protected characteristics such as race and gender," Gilbert said. That last one will be a hard sell with Republicans.
“Unfortunately, the bill lacks elements that are necessary to any comprehensive federal privacy bill," Gilbert added. "For example, it preserves an outdated distinction between sensitive and non-sensitive data, lacks requirements for companies to conduct privacy risk assessments for high-risk data processing, and, crucially, does not provide consumers with a private right of action to have their day in court individually and as a class to seek damages and injunctive relief for violations of their privacy. We look forward to working with Sen. Cortez Masto to protect consumer privacy through a more comprehensive bill.”
