Last year, Capital One experienced one of the largest-ever data breaches of a bank, when a hacker–Paige Thompson–got her hands on the personal information of over 106 million customers and applicants via a misconfigured AWS server. Now, the Office of the Comptroller of the Currency (OCC) has hit the bank with a whopping $80 million…
Last week, Senate Republicans added to the growing pile of federal data privacy legislation drafts. The bill, known as the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (the SAFE Data Act), is a stab at a comprehensive federal privacy law.
Here’s what to know about the new bill.
It Embraces Existing Principles
SAFE DATA is more or less a synthesis of three existing acts: the US Consumer Data Protection Act (USCDPA), Deceptive Experiences to Online Users Reduction Act (DETOUR) and the Filter Bubble Transparency Act.
SAFE DATA includes most of the core principles from USCDPA, which also happen to be present in the already enforceable California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).
Under SAFE DATA, privacy policies should be transparent. Some companies are required to minimize data collection, conduct annual privacy assessments and hire data security officers. And consumers have the right to access, correct, delete, and port their data.
Discrimination and Consent
SAFE DATA goes beyond CCPA and GDPR in two big ways, both of which align with USCDPA.
The act prohibits collectors from discriminating against consumers who choose to exercise the rights afforded by the bill. Thus, no good or service can be denied on these grounds.
Additionally, organizations must obtain “affirmative express consent” before transferring user data to a third-party. This means that the data subject must actively communicate their consent to such a transfer.
SAFE draws from DETOUR by taking a stand against deceptive practices–organizations cannot specifically design the user experience to impair “user autonomy, decision-making, or choice.”
This extends to companies who conduct behavioral or psychological research based on data they collect. SAFE requires them to get express consent before doing so.
SAFE specifically notes that companies may not manipulate their platform to cultivate “compulsive usage” by children under the age of 13, citing non-consensual auto-play videos as an example.
Filter Bubble Transparency
The act places limitations on the use of opaque algorithms, and allows consumers to opt-out of the “filter bubble,” a phenomenon which describes algorithms that personalize a user’s experience to reinforce their existing beliefs.
In order for an online platform to use such algorithms to collect and process data, collectors need to provide a notice the first time an opaque algorithm is used.
Additionally, subjects must be able to easily remove a filter bubble by accessing platforms through input-transparent algorithms.
A Nationwide Standard
CCPA and GDPR are already holding American companies accountable, and a wave of state legislation is expected to reinforce this trend. To avoid the complications inherent to complying with different–and oftentimes conflicting–laws in each state, a federal law has never been more necessary.
In theory, SAFE DATA sets out to unify the compliance standards for businesses and ensure data security for consumers across the country.
How will SAFE DATA be financed? The bill calls for a $100 million appropriation to the Federal Trade Commission, which would have the authority to enforce the law and impose penalties for violations.