Yet another senator has released a draft of a privacy bill, and it echoes elements of the EU’s strict GDPR regulations, as well as California’s controversial privacy law. What it doesn’t do is resolve the question of whether consumers should be able to “opt out” of having their data shared by tech companies.
Sen. Catherine Cortez Masto (D-Nev.) unveiled the Digital Accountability and Transparency to Advance (DATA) Privacy Act last week, highlighting values like the right to deletion and clear, concise privacy policies that consumers can understand.
Most notably, the bill does not preempt state laws, but includes civil penalty authority for the Federal Trade Commission (FTC), a right to privacy regardless of race, gender, political or religious affiliation, and prohibits political ad targeting and price discrimination based on one of those “protected characteristics.”
The bill also does not exempt any government organizations (federal, state, or local) from the privacy requirements listed, and requires tech companies to provide a clear “opt out” option to consumers that allows them to tell tech companies not to share their data with third parties or use it for anything other than the service the tech company provides to the consumer.
Cortez Masto’s bill also includes a “safe harbor” provision for tech startups who make less than $25 million a year and collect data on less than 3,000 people, which would encourage innovation while still requiring the big companies to meet certain privacy requirements.
Companies that make more than $25 million a year and collect data on 3,000 or more people must appoint a “privacy protection officer,” who must “educate employees about compliance requirements; train employees involved in data processing; conduct regular, comprehensive audits to ensure compliance and make records of the audits available to enforcement authorities upon request; maintain updated, clear, and understandable records of all data security practices undertaken by the covered entity; serve as the point of contact between the covered entity and enforcement authorities; and advocate for policies and practices within the covered entity that promote individual privacy.”