As the patchwork regulatory landscape of data protection laws becomes more complex, many industry experts and legislators agree that a comprehensive federal privacy law is needed. On September 17, 2020, a group of Republican senators proposed the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act (the “Act”), Congress’s latest push for a single national data privacy standard for consumers.

The Act combines three privacy bills previously introduced in the Senate - the U.S. Consumer Data Protection Act, Filter Bubble Transparency Act and Deceptive Experiences To Online Users Reduction Act - and is an effort to protect consumer data while reducing the complexity of complying with conflicting state standards.

At a high level, the Act includes the following requirements:

• Covered data. Data covered by the Act includes information that identifies, is linked or is reasonably linkable to an individual or a device that is linked or reasonably linkable to an individual. Covered data does not include aggregated data, de-identified data, employee data or publicly available information.
• Federal preemption of state privacy laws. The Act expressly prohibits states from adopting or enforcing any law, rule or regulation related to data privacy or data security, however, the Act does not preempt state laws that directly establish data breach notification requirements.
• The Act would not supersede all federal laws. The Act enumerates eleven federal laws that the Act would not supersede, including COPPA, HIPAA and Title V of Gramm-Leach-Bliley, among others.
• Privacy policies.
• • Covered entities would be required to make available, in a clear and conspicuous manner, a privacy policy prior to the point of collection of covered data. The privacy policy must disclose the categories of data collected, the processing purposes for each category of covered data, the categories of recipients to whom the entity transfers covered data, the purpose of the transfers, and a general description of data retention practices. In addition, the privacy policy must disclose how consumers can access, correct, delete and port their data.
  • In the event of a material change to a covered entity’s privacy policy, such entity would be required to notify impacted individuals prior to further processing or transferring previously collected covered data, and provide an opportunity to withdraw consent before further processing. Covered entities must provide direct notification of material changes, “where possible,” taking into account the available technology and nature of the relationship.
• Individual control over covered data.
• • Access. Within 90 days of receipt of a verified request from an individual, a covered entity must provide reasonable access to the requesting individual’s data, or provide an accurate representation of the covered data of such individual. If applicable, the covered entity must also provide a list of categories of third parties to whom the covered entity has transferred the individual’s data, and a description of the purpose for which the data was transferred.
• • Request to correct inaccuracies. Consumers can request that the covered entity correct material inaccuracies or materially incomplete information, and request that the entity notify any third parties to whom such data was transferred of the corrected information.
• • Request to delete or deidentify covered data. Consumers can also request that the covered entity either delete or deidentify their data, and notify any third party to whom the data was transferred of the request, unless the transfer of such data was made at the individual’s direction.
• • Portability. If technically feasible, the covered entity must provide the requesting individual’s data in a portable machine-readable format that is not subject to licensing restrictions.
• • Frequency and cost of access. Individuals will have the right to exercise their rights with respect to the access, deletion and provision of data at no cost, no less than twice during each 12 month period.
• • Sensitive covered data. Covered entities would be required to obtain an individual’s explicit consent prior to transferring data that is considered sensitive covered data.
• Exceptions. The Act includes various exceptions to a covered entity’s obligation to comply with an individual’s request, including an exception for any request that would require the entity to reidentify data that has been deidentified, require disproportionate effort, or that would compromise the data protection rights of any other individual.
• Additional obligations of covered entities. The Act also requires covered entities to limit data collection, processing and retention to what is reasonably necessary, designate data security and privacy officers, and conduct annual privacy impact assessments.
• Disclosures regarding opaque algorithms. Covered internet platforms would be required to notify users if opaque algorithms are used to make inferences based on user specific data to select content the user sees. In addition, certain platforms would also be required to make a version of the platform available that uses an input-transparent algorithm, and enable users to easily switch between the two versions of the platform.

Critics of the Act note that few consumers actually read privacy policies, thus relying on a privacy policy to satisfy the notice-and-consent requirement for data collection can be problematic. In addition, the Act does not include any meaningful limitations on the type of personal data that companies may collect, so long as the privacy policy discloses such collection. The Act would also preempt state laws that provide stronger protections in certain areas, such as the California Consumer Privacy Act, and does not include a private right of action.