In recent months, updated versions of the Data Protection Act of 2020 and the SAFE DATA Act have been reintroduced in the U.S. Senate. This post provides an overview of these updated privacy bills, both of which were previously introduced during the 116th Congress.
The Data Protection Act of 2021
On June 17, Sen. Kirsten Gillibrand (D-NY) introduced the Data Protection Act of 2021 (S. 2134). This latest bill includes significant updates from the previous version; however, both versions share the primary purpose of establishing a federal Data Protection Agency (DPA). Under this law, most of the Federal Trade Commission’s (FTC) privacy-related authority would be transferred to the DPA. This independent agency would be led by a director, who would be appointed by the president for a five-year term, much like the current structure of the CFPB.
Noteworthy updates include the following:
- New Defined Terms: New definitions clarify the role and scope of the DPA. This includes definitions for “data aggregators” and “service providers,” which are the primary parties regulated by the DPA. The latest version also introduces the concept of “privacy harm,” which is a key term in the sections of the bill describing the objectives and purpose of the DPA.
- Merger Supervision: The DPA must (i) conduct a review of any merger that involves either “large data aggregators” or the transfer of 50,000 individuals’ personal data and (ii) submit a report describing the “privacy and data protection implications” of such mergers to the Department of Justice (DOJ) and the FTC.
- High-Risk Data Practices Oversight: Additional enforcement power/oversight for certain “high-risk data practices.”
- Office of Civil Rights: Establishes an Office of Civil Rights within the DPA and outlines the powers and duties of this office.
- Larger Penalties and Fines: Remedies include fines (which vary based on severity from $5,000 to $3 million per day), disgorgement, limits on future activities, etc.
Many other state and federal privacy bills have sought to establish similar privacy-focused regulatory agencies; however, unlike the Data Protection Act of 2021, most of these bills also establish a comprehensive privacy regime (i.e., provide data subject rights, require privacy policies, etc.). The Data Protection Act of 2021 would only preempt state laws “to the extent that any such provision of law is inconsistent with the provisions of this title, and then only to the extent of the inconsistency.” In other words, state laws that offer greater protection, such as the California Consumer Privacy Act (CCPA), would likely remain in full effect.
The SAFE DATA Act
On July 28, Sens. Roger Wicker (R-MS) and Marsha Blackburn (R-TN) reintroduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act (S.2499). The previous version of the SAFE DATA Act was introduced in 2019 and was created by combining a discussion draft of the U.S. Consumer Data Protection Act with provisions from the Filter Bubble Transparency Act (FBT Act) and the Deceptive Experiences to Online Users Reduction Act (DETOUR). Both the FBT Act and the DETOUR Act addressed narrower privacy-related issues, with a general focus on restricting the use of data with regards to consumer manipulation technologies.
The 2021 version of the SAFE DATA Act does not include the provisions that were incorporated from the FBT Act (which was separately reintroduced by Sen. Randolph Thune (R-SD)) or the DETOUR Act. These deletions make up the majority of the substantive changes to this bill. Other noteworthy changes reflected in the 2021 version include a prohibition on processing activities that violate civil rights law, and the removal of a provision affirming the FTC’s ability to seek equitable relief for privacy law violations.
Both the Data Protection Act of 2021 and the SAFE DATA Act would provide additional resources for the federal regulation of privacy. Specifically, the FTC would be appropriated $100 million to enforce the SAFE DATA Act. The Data Protection Act of 2021 does not appropriate a specific amount of funding; however, the bill does state that the DPA should be apportioned “sums as may be necessary to carry out this Act.” Funding for the DPA could also come from assessments and fees on data aggregators, the existence and amount of which would be determined by the DPA’s director. These two bills also both provide for increased scrutiny with regards to the processing of certain sensitive data types, including biometric data and precise geolocation information.
As of late August, neither bill had advanced beyond committee assignment. In June, the chair of the Senate Commerce Subcommittee on Communications, Sen. Richard Blumenthal (D-CT), indicated there may be hearings on privacy this summer; however, as of late August no such hearings have taken place. Up to this point in the legislative session, cybersecurity and infrastructure seem to have taken priority over privacy. This focus can be attributed in part to the Colonial Pipeline ransomware attack.
Given this lack of federal movement, the prospect of a fragmented state-driven privacy regulatory landscape in the U.S. seems more likely than ever. Businesses should focus on ensuring that they are prepared for 2023, when the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act ( CDPA), and the Colorado Privacy Act (CPA) all come into effect. During this current period of uncertainty businesses should also focus on the concepts that are consistent across most of the federal and state privacy bills/laws (e.g., data minimization, data subject rights, consent for sensitive data, etc.). Focusing on these general concepts and remaining flexible will allow for businesses to more quickly adapt and comply with future privacy regimes.
 Data aggregators are defined as “any person that collects, uses, or shares, in or affecting interstate commerce, an amount of personal data that is not de minimis, as well as entities related to that person by common ownership or corporate control.”
 Service providers are defined as “a data aggregator that collects, uses, or shares personal data only on behalf of another data aggregator in order to carry out a permissible purpose, and only to the extent of such activity.”
 Privacy harm is broadly defined. Examples of privacy harm include direct or indirect financial harm, physical harm, reputational harm, a threat to an individual or property, psychological harm (including anxiety, embarrassment, fear, etc.), the chilling of free expression, discrimination, etc.
 Large data aggregators are data aggregators that have more than $25 million in gross annual revenue or annually process the data of 50,000 individuals, households, or devices.
 Examples include but are not limited to the use of automated decision-making systems, the large-scale systematic processing of publicly available data, the processing of an individual’s precise geolocation, etc.
 This Filter Bubble Transparency Act would require that internet platforms provide their users with “the option to engage with a platform without being manipulated by algorithms driven by user-specific data.”
 The Deceptive Experiences to Online Users Reduction Act aims to (i) “prohibit the usage of exploitative and deceptive practices
by large online operators” and (ii) “promote consumer welfare in the use of behavioral research by such providers.” Specifically, this legislation is aimed at preventing “dark patterns,” which Sen. Warner described, as follows in the press release for this legislation: “The term ‘dark patterns’ is used to describe online interfaces in websites and apps designed to intentionally manipulate users into taking actions they would otherwise not take under normal circumstances.”
 The FBT Act and the DETOUR Act were previously introduced with bipartisan support; however, despite this support, the 2019 version of the SAFE DATA Act did not advance beyond committee assignment.
 Portions of the SAFE DATA Act would “not apply in the case of a covered entity that can establish that, for the 3 preceding calendar years (or for the period during which the covered entity has been in existence if such period is less than 3 years) — (1) the covered entity’s average annual gross revenues did not exceed $50,000,000; (2) on average, the covered entity annually processed the covered data of less than 1,000,000 individuals; (3) the covered entity never employed more than 500 individuals at any one time; and (4) the covered entity derived less than 50 percent of its revenues from transferring covered data.”
 These provisions establish that the new law should not be construed to modify, limit, or supersede other existing laws.