Privacy Law Update: What’s Happening at the Federal Level?

Several recent proposals in Congress for data privacy and security legislation, if enacted, would have significant implications for U.S. businesses, their internet-connected products and services, and relations with the federal government. 

Individual Data Privacy

The Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act (S 3663) is the latest federal data privacy act to be introduced in Congress.  The SAFE DATA Act seeks to establish an overarching framework for consumer data privacy and security that would preempt state law.  The Act would impose data transparency, integrity, and security requirements and obligations for entities that are subject to the Federal Trade Commission Act, as well as common carriers and non-profit organizations.

The SAFE DATA Act is actually a conglomeration of three previously introduced legislative proposals: the discussion draft of the U.S. Consumer Data Protection Act, Filter Bubble Transparency Act, and Deceptive Experiences To Online Users Reduction Act.  Combining the privacy protections included in these three previously independent bills is thought by many in Congress to be the strongest piece of privacy legislation put forth to date.  The SAFE DATA Act provides similar consumer rights to those that have been granted in the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), such as the rights of access, deletion, notice, correction and opting-out, as well as a right to data portability.   Organizations would be prohibited from denying goods or services to an individual if the individual exercised any of the rights afforded by the SAFE DATA Act.

The Act would also require companies to obtain affirmative, express consent before processing or transferring an individual’s sensitive data.  This bill partially incorporates some principals provided in the GDPR, such as requiring data minimization to large data holding companies.  This minimization would apply to all data collected, processed and retained.

Even with the consolidation of several previously proposed bills, passage of any federal data privacy legislation this year still appears to be a long shot.

IOT Security

A bipartisan bill setting minimum security standards for Internet of Things (IoT) devices connected to federal networks passed in the House of Representatives last month and now awaits a Senate floor vote after clearing the Senate Homeland Security and Governmental Affairs Committee in June 2019.

If enacted, the IoT Cybersecurity Improvement Act (HR 1668) would require the National Institute of Standards and Technology (NIST) to develop and publish (1) minimum security standards and guidelines on the use and management of IoT devices owned or controlled by a federal government agency, including requirements for managing cybersecurity risks; and (2) guidelines for disclosing security vulnerabilities of information systems, including IoT devices, by contractors (and subcontractors) who provide the technology to the agency. The bill would also require the Department of Homeland Security to publish guidance on coordinated vulnerability disclosures for contractors and vendors.

The lawmakers behind this effort, Reps. Will Hurd (R-TX) and Robin Kelly (D-IL), along with Sens. Mark Warner (D-VA) and Cory Gardner (R-CO), have spent more than three years trying to get this bill over the finish line.