The U.S. Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act represents the latest stage of evolution in omnibus federal privacy legislation. The bill is sponsored by Sen. Roger Wicker, R-Miss., who chairs the Senate Committee on Commerce, Science, & Transportation, and co-sponsored by several other Republicans in the Senate.

Tracing its legislative genealogy, the SAFE DATA Act is actually a conglomeration of three previously introduced legislative proposals: the discussion draft of the U.S. Consumer Data Protection Act, Filter Bubble Transparency Act and Deceptive Experiences To Online Users Reduction Act. Combining the privacy protections included in these three previously independent bills has brought about the strongest piece of privacy legislation put forth by Senate Republicans to date, the SAFE DATA Act.

Legislative predecessors of the SAFE DATA Act

For the most part, the newly proposed SAFE DATA Act is an updated version of the discussion draft of the USCDPA, which appeared toward the end of 2019.

Notable provisions of the USCDPA included requirements for companies to obtain “affirmative express consent” before processing or transferring individuals’ sensitive data, publish transparent privacy policies, implement “reasonable data security practices,” and not deny goods or services to any individuals who exercise their privacy rights. The bill would provide users rights to access, correction, deletion and portability. It would also require certain companies to minimize data collection, processing and retention; designate privacy officers and data security officers; and conduct annual privacy impact assessments.

There are some minor but notable differences between the two texts. The SAFE DATA Act expands the USCDPA’s definition of “deidentified data” to include “information that … does not contain any persistent identifier or other information that could readily be used to reidentify the individual to whom, or the device to which, the identifier or information pertains.” Also, the definition of “biometric information” that was included in the discussion draft of USCDPA is not found in the SAFE DATA Act.

Titles II and III of the SAFE DATA Act, however, differ markedly from their predecessors. Namely, Title II contains a new section concerning “filter bubble transparency.” This section of the SAFE DATA Act, as well as the definitions for “algorithm ranking system” and “connected device,” all come from the Filter Bubble Transparency Act, which is a bipartisan piece of privacy legislation that was introduced in October 2019. It was sponsored by Sen. John Thune, R-S.D., and co-sponsored by Sens. Richard Blumenthal, D-Conn., Jerry Moran, R-Kan., Marsha Blackburn, R-Tenn., and Mark Warner, D-Va.

Primarily, the Filter Bubble Transparency Act would require that certain platforms notify users if their personal data is used to select the content they see using an “opaque algorithm.” Platforms must also provide users with a version that uses an “input-transparent” algorithm.

Meanwhile, the SAFE DATA Act’s section on “unfair and deceptive acts and practices relating to the manipulation of user interfaces” in Title II, as well as its definitions of terms such as “behavioral or psychological experiments or research” and “compulsive usage,” come from the DETOUR Act, another bipartisan piece of privacy legislation that was sponsored by Sen. Warner and co-sponsored by Sens. Thune, Amy Klobuchar, D-Minn., and Deb Fischer, R-Neb.

The DETOUR Act would regulate so-called “dark patterns,” which are ways of structuring the interfaces and information presented on websites so as to nudge users in divulging more personal data than they would otherwise. The main provision of the law would prohibit companies from obtaining consent or user data through interfaces that “obscur[e], subvert[], or impair[] … user autonomy, decision-making, or choice.” The bill would also prohibit companies from encouraging “compulsive usage” in any person under the age of 13. Lastly, the bill would place additional public disclosure obligations on companies that perform behavioral or psychological research based on the data or activity of users, as well as require them to establish independent review boards.

Image

Title IV of the SAFE DATA Act also includes a section that would empower the FTC to seek a permanent injunction and other remedies in the case of violations.

Looking ahead, divisions remain

In a Brookings Institution report issued in June, the authors stated “comprehensive information privacy legislation appears stalled on Capitol Hill,” due mostly to “a few pivotal and more polarized issues” around which a consensus has been hard to forge. Namely, the two key dividing lines are whether federal privacy legislation will include a private right of action and preempt state laws that offer a higher standard of privacy protections, such as the California Consumer Privacy Act.

Unfortunately, these issues have not been resolved in the SAFE DATA Act. However, the bill may still be a harbinger of the long-awaited consensus around federal privacy legislation. Indeed, the SAFE DATA Act has the potential to assemble the largest bipartisan group of Senators around a federal privacy bill to date. Yet, it still lacks many of the legislative proposals that have been developed by key Senate Democrats, including Sens. Maria Cantwell, D-Wash., Brian Schatz, D-Hawaii, Klobuchar, and Edward Markey, D-Mass.

Although the passage of federal privacy legislation this year remains “a long shot,” a hearing entitled “Revisiting the Need for Federal Data Privacy Legislation,” will be convened by Sen. Wicker Sept. 23 to focus on state privacy laws, the EU General Data Protection Regulation and the impact of COVID-19. The four witnesses are all former Federal Trade Commissioners: Julie Brill, William Kovacic, Jon Leibowitz and Maureen Ohlhausen. It will be worth tuning in to this hearing to stay informed on any potential movement forward on Capitol Hill toward a comprehensive U.S. privacy bill.

Photo by Quick PS on Unsplash