Proposed Federal Data Privacy Law Would Provide Much Needed Clarity and Protection For Businesses. But Don't Hold Your Breath
On Wednesday, July 28, legislation was introduced in the United States Senate that could be a game-changer for any business that acquires, collects, stores, and uses data about their customers. And if you run a consumer-facing business of any kind or size, that likely means you.
However, the proposed law faces an uncertain future at a time when the combination of partisan disagreements and other legislative priorities may make its passage tenuous at best. That means companies remain at risk for potentially catastrophic liability and disruptive litigation for alleged violations of a patchwork of state laws that make the legal data privacy landscape a confusing mess.
Superseding State Data Privacy Laws and Eliminating Private Cause Of Action
If it became law, the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act would establish a unified, federal framework defining the obligations, and potential liability, of businesses regarding customer data. As written, the SAFE DATA Act would supersede and replace the individual state data privacy laws that currently make for a compliance minefield. Additionally and crucially, the bill does not provide for a private cause of action if a company breaches its data privacy provisions. Instead, the Federal Trade Commission and state attorneys general would be tasked with policing and enforcing the law.
Such protection civil liability would be a game-changer for businesses large and small as they currently face an onslaught of consumer class action lawsuits alleging violations of state data privacy laws such as the Illinois Biometric Information Privacy Act (BIPA) and California’s Consumer Privacy Act.
Additionally, The SAFE DATA Act would:
- Require companies to publish privacy policies.
- Mandate that businesses designate privacy and data-security officers
- Require firms to provide, correct or delete consumers’ data within 90 days of a request to do so
- Limit the data that companies can collect to what is “reasonably necessary, proportionate, and limited” to their business.
- Require that businesses get the consumer’s consent to collect “sensitive covered data” such as Social Security numbers, data revealing sexual orientation, or information that could tie a consumer to within 1,750 feet of their actual location.
Businesses Will Likely Be Stuck In The Data Privacy Minefield For The Foreseeable Future
The SAFE DATA Act is just the latest effort to establish a federal data privacy law, and, as noted, passage in its current form is far from certain. As such, business owners need to understand and ensure compliance with state data privacy laws, which can be easier said than done. These laws are voluminous, complicated, and establish different obligations, standards, and potential consequences for data breaches and non-compliance.
That’s why it is so critical for any business that collects consumer data to work with an experienced data privacy attorney to develop a robust data security program that complies with current laws and minimizes the chances of costly violations.
Latimer LeVay Fyock intellectual property attorney Colin O’Brien recently earned the designation of Certified Information Privacy Professional (CIPP/US). Granted by the International Association of Policy Professionals, the CIPP/US designation certifies that an individual has mastered a core foundational understanding of U.S. data privacy laws and regulations. It also reflects that the designee has comprehensive knowledge of how those laws and regulations intersect with the technical and practical principles of data collection, retention, protection, and use practices.
If you would like to learn more about how Latimer LeVay Fyock can help your business minimize the risks of data breaches and non-compliance with data privacy laws, please contact Colin O’Brien today.