Four Republican senators have introduced a new privacy bill that is aimed at limiting corporate use of consumer data, but it is based on the outmoded idea of notice-and-consent and also would prevent states from passing their own privacy or data security laws.
The bill is the latest in what has become a deluge of privacy legislation in the current Congress, many of which share common traits and basic principles. Like many of the existing bills, the SAFE DATA Act introduced last week gives individuals the opportunity to see, correct, or delete data collected on them by companies and prohibits companies from refusing to provide goods or services to people who don’t agree to their privacy policies. The bill also gives authority for enforcement to the Federal Trade Commission, as several other proposed bills do, and requires the FTC to create and maintain a registry of data brokers. Like the other pending bills, the SAFE DATA Act does not cover federal government agencies.
However, the bill employs notice-and-consent as the basis for data collection, a notion that is considered ineffective for actually informing people about what data a provider is collecting and what options they have as a result. Few people take the time to read privacy policies and even if they do, the language is very difficult to decipher. The SAFE DATA Act, introduced by Sens. Roger Wicker (Miss.), John Thune (S.D.), Deb Fischer (Neb.), and Marsha Blackburn (Tenn.), rests on the concept of affirmative consumer consent for data collection and processing but there are not any practical limitations on what type of data companies can collect.
"Senator Wicker’s SAFE DATA Act allows companies to collect any personal data it pleases as long as it discloses it in its privacy policy,” said Caitriona Fitzgerald, policy director at EPIC. "And it prohibits states from adopting or enforcing any data privacy or data security laws. The SAFE DATA Act is very weak compared to Senator Gillibrand’s Data Protection Act, Senator Brown’s discussion draft, and the Online Privacy Act introduced in the House.”
The Online Privacy Act is the sole current privacy bill that would establish a federal data protection agency, a concept that many privacy advocates have been calling for. Most of the other pending bills give enforcement authority to the FTC, as does Wicker’s bill, eschewing the idea of a central agency for data protection.
“More than ever, we need to stop bad actors and restore consumers’ trust in the internet marketplace. Today I am introducing a bill that would provide all Americans with baseline protections and more transparency, choice, and control over their data. It would also strengthen the FTC’s ability to hold businesses accountable when using data for nefarious purposes,” Wicker said in a statement.
While many of the provisions in the new bill are similar to those in existing bills, the SAFE DATA Act also includes a section that explicitly prohibits state legislatures from passing new privacy or data security laws, or from enforcing existing laws. The clause does not apply to state data-breach notification laws, however.
“No State or political subdivision of a State may adopt, maintain, enforce, or continue in effect any law, regulation, rule, requirement, or standard related to the data privacy or data security and associated activities of covered entities,” the bill says.