The U.S. Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (SAFE DATA) represents the latest stage of evolution in omnibus federal privacy legislation. The bill is sponsored by Sen. Roger Wicker, R-Miss., who chairs the Senate Committee on Commerce, Science, & Transportation, and co-sponsored by several other Republicans in the Senate.
Tracing its legislative genealogy, the SAFE DATA Act is actually a conglomeration of three previously introduced legislative proposals: the discussion draft of the U.S. Consumer Data Protection Act, Filter Bubble Transparency Act and Deceptive Experiences To Online Users Reduction Act. Combining the privacy protections included in these three previously independent bills has brought about the strongest piece of privacy legislation put forth by Senate Republicans to date, the SAFE DATA Act.
Legislative predecessors of the SAFE DATA Act
For the most part, the newly proposed SAFE DATA Act is an updated version of the discussion draft of the USCDPA, which appeared toward the end of 2019.
Notable provisions of the USCDPA included requirements for companies to obtain “affirmative express consent” before processing or transferring individuals’ sensitive data, publish transparent privacy policies, implement “reasonable data security practices,” and not deny goods or services to any individuals who exercise their privacy rights. The bill would provide users rights to access, correction, deletion and portability. It would also require certain companies to minimize data collection, processing and retention; designate privacy officers and data security officers; and conduct annual privacy impact assessments.
There are some minor but notable differences between the two texts. The SAFE DATA Act expands the USCDPA’s definition of “deidentified data” to include “information that … does not contain any persistent identifier or other information that could readily be used to reidentify the individual to whom, or the device to which, the identifier or information pertains.” Also, the definition of “biometric information” that was included in the discussion draft of USCDPA is not found in the SAFE DATA Act.
Titles II and III of the SAFE DATA Act, however, differ markedly from their predecessors. Namely, Title II contains a new section concerning “filter bubble transparency.” This section of the SAFE DATA Act, as well as the definitions for “algorithm ranking system” and “connected device,” all come from the Filter Bubble Transparency Act, which is a bipartisan piece of privacy legislation that was introduced in October 2019. It was sponsored by Sen. John Thune, R-S.D., and co-sponsored by Sens. Richard Blumenthal, D-Conn., Jerry Moran, R-Kan., Marsha Blackburn, R-Tenn., and Mark Warner, D-Va.
Primarily, the Filter Bubble Transparency Act would require that certain platforms notify users if their personal data is used to select the content they see using an “opaque algorithm.” Platforms must also provide users with a version that uses an “input-transparent” algorithm.
Meanwhile, the SAFE DATA Act’s section on “unfair and deceptive acts and practices relating to the manipulation of user interfaces” in Title II, as well as its definitions of terms such as “behavioral or psychological experiments or research” and “compulsive usage,” come from the DETOUR Act, another bipartisan piece of privacy legislation that was sponsored by Sen. Warner and co-sponsored by Sens. Thune, Amy Klobuchar, D-Minn., and Deb Fischer, R-Neb.
The DETOUR Act would regulate so-called “dark patterns,” which are ways of structuring the interfaces and information presented on websites so as to nudge users in divulging more personal data than they would otherwise. The main provision of the law would prohibit companies from obtaining consent or user data through interfaces that “obscur[e], subvert[], or impair[] … user autonomy, decision-making, or choice.” The bill would also prohibit companies from encouraging “compulsive usage” in any person under the age of 13. Lastly, the bill would place additional public disclosure obligations on companies that perform behavioral or psychological research based on the data or activity of users, as well as require them to establish independent review boards.
Title IV of the SAFE DATA Act also includes a section that would empower the FTC to seek a permanent injunction and other remedies in the case of violations.
Looking ahead, divisions remain…
Privacy Isn’t Dead. Far From It.
Welcome! The fact that you’re reading this means that you probably care deeply about…