A little over two weeks ago, T-Mobile became the latest victim of a cyberattack when more than 50 million of their customers’ data was stolen. In the ensuing weeks, three class action suits have been filed against the telephone carrier alleging a range of violations. Included in two of them are alleged violations of the California Consumer Privacy Act, one of them includes alleged violations of the Washington State Consumer Protection Act, and the third fails to allege any violations of state data security laws. Three House Representatives pointed to the breach as a reminder as to why there needs to be a national privacy and data security law. One such bill is the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act.
As detailed previously on this blog, there are myriad state laws protecting consumers’ data and privacy that differ from each other in various ways, including whether they provide the consumer with a private right of action, what information is protected, and what entities they apply to. And more and more states are on the verge of entering the arena. While many will debate whether the clarity provided by a national bill is preferable to allowing states to make their own privacy laws (assuming a national bill preempted state laws), which may be stricter, the possibility of a national bill passing is a real possibility.
The SAFE DATA Act’s aim is to “establish data privacy and data security protections of consumers in the United States.” Perhaps its biggest departure from many state consumer privacy laws, like the CCPA, is that it lacks a private right of action allowing individual persons to sue. Instead, the Federal Trade Commission and state attorney generals are provided with the authority to go after entities who fail to abide by the law’s protections, such as requiring covered entities to “establish, implement, and maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security, and integrity of covered data.” The Act would also grant consumers greater control over their data, allowing them to access, correct, and/or delete their data, in addition to requiring consumer consent over the processing or transferring of “sensitive covered data.”
Subject to certain exceptions, “covered data” is information “that identifies or is linked or reasonably linkable to an individual,” meaning the data “can be used on its own or in combination with other information” to identify such individual. “Sensitive covered data” includes, among many other identifiers, social security numbers, passport numbers, driver’s license numbers, financial account numbers, and biometric information.
The act would apply to most business, including non-profits, that collect, process, or transfer covered data. The only entities explicitly excluded from certain provisions are small businesses, defined as entities that for the three previous years (1) never employed more than 500 employees, (2) averaged less than $50,000,000 in annual gross revenue, (3) derived less than 50% of its revenues from transferring covered data, and (4) annually processed the covered data of less than 1,000,000 individuals.
After failing to get out of committee last year, the bill was re-introduced in the U.S. Senate in late July. We will continue to monitor and report on its progress.