Privacy Bill Essentials: Proposed Federal "Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act"

August 6, 2021
Hinshaw Privacy & Cyber Bytes

U.S. Senators Roger Wicker (R-Miss) and Marsha Blackburn (R-Tenn) recently reintroduced a comprehensive federal privacy bill entitled the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act. The SAFE DATA Act integrates themes from three previously introduced legislative proposals: the discussion draft of the U.S. Consumer Data Protection Act (CDPA), the Filter Bubble Transparency (FBT) Act, and the Deceptive Experiences To Online Users Reduction (DETOUR) Act.

If signed into law, the SAFE DATA Act would create a single federal standard for consumer data privacy and preempt all state consumer data privacy laws.

To whom would it apply?

The SAFE DATA Act aims to protect the personal data of all individuals residing in the U.S. and would apply to all businesses under the purview of the Federal Trade Commission (FTC), as well as non-profits and common carriers. Small businesses are exempt from complying with various provisions of the SAFE DATA Act (e.g., sections 103, 105, and 301) if they can establish that for the three preceding calendar years: their revenues did not exceed $50 million; they processed covered data of less than 1,000,000 individuals; they never employed more than 500 individuals at any one time; and, they derived less than 50% of their revenues from transferring covered data.

What types of information would it cover?

The SAFE DATA Act defines covered data as that which "identifies or is linked or reasonably linkable to an individual or a device that is linked or reasonably linkable to an individual." Falling under this broad definition is sensitive data, which includes social security numbers; passport numbers; data that describes or reveals the diagnosis and treatment of past, present, or future physical health, mental health, or the disability of an individual; financial account numbers; biometric information; geolocation information; private communications, such as emails; data revealing sexual orientation or behavior; and data about the online activities of an individual.

Excluded from the definition of covered data is aggregated data, de-identified data, employee data, and publicly available information.

What rights would it create?

The SAFE DATA Act would provide individuals with the right to: 

What obligations would it impose?

The key requirements for covered businesses derived from the CDPA are:

The key requirements for covered businesses derived from the FBT Act are:

The key requirements for covered businesses derived from the DETOUR Act are:

How would it be enforced?

The SAFE DATA Act designates the FTC as the federal agency responsible for enforcing the act in the same manner, and by the same means as it enforces the Federal Trade Commission Act (FTCA). This means violators will face the same penalties and be granted the same immunities as those provided in the FTCA.

State Attorneys General may also commence a civil action in federal court on behalf of the residents of their state to the extent it has reason to believe that a business is engaging in an act or practice in violation of the SAFE DATA Act that threatens the interests of residents. The State Attorney General may seek, among other forms of relief, damages, civil penalties, restitution, and other compensation on behalf of the residents of the state. 

The SAFE DATA Act does not provide for a private right of action. It would go into effect 18 months after enactment.