A new bill (the Data Privacy Act) has recently been introduced by Nevada Senator Catherine Cortez Masto, (D-NV). This bill calls for improved privacy protections for consumers, greater accountability and transparency for data collection practices, and the prohibition of discriminatory data practices.
It is currently a requirement for HIPAA-covered entities to obtain consent from patients before using or disclosing their health information for reasons other than the payment for healthcare, provision of healthcare, or for healthcare operations. With this being said, companies not bound by HIPAA Rules do not have the same restrictions in place.
A number of states are considering introducing or have already introduced laws covering health and other sensitive data collected by entities that are not covered by HIPAA in the absence of a federal law that provides such protections. While Congress is assessing privacy protections for consumers, patchwork of state laws are currently the main providers of protection. As a result of this, privacy protections can vary greatly depending on where the consumer lives.
The bill, The Digital Accountability and Transparency to Advance Privacy (DATA Privacy) Act, calls for data privacy protections similar to that in place for GDPR to be introduced to limit the collection of personal data, to protect data that is collected, and to prevent personal data from being used to discriminate against individuals.
If the Data Privacy Act is passed, it will see consumers being given more of a say about the types of information that are collected, how this information is used, and with who the information is shared with.
The Data Privacy Act will also call for companies to provide consumers with an option of opting in or out of the collection and sharing of sensitive data, such as genetic information, location data and biometric data.
Consumers have a right to be told what information will be collected, how the company plans to use the information, and with whom the information will be shared. The company must also create a process that allows consumers to check the accuracy of their data, to request a copy of any information that has been collected, and to be provided with the option of transferring or deleting their data without any negative effects.
Restrictions will also be implemented in terms of the data that can be collected. It will only be permitted for companies to collect data if there is a legitimate business reason for doing so. Additionally, individuals whose data is collected must not be exposed to unreasonable privacy risks. The bill also aims to protect consumers from discriminatory targeted advertising practices based on information they give such as sex, gender, sexual orientation, race, nationality, religious belief, or political affiliation.
It would also be necessary for any company that collects the personal data of more than 3,000 individuals in a calendar year to provide consumers with a notice of their privacy policies that clearly explains how their data will be used.
Furthermore, any business with annual revenues in excess of $25 million will also be required to appoint a Privacy Officer. His/her responsibilities will include tasks such as training staff on data privacy.
The FTC and state attorneys general will be given the authority to enforce compliance with the new Act and financial penalties will be issued to companies who are found not to be in compliance.
The intention of the Data Privacy Act is to improve privacy protections for consumers without placing any unnecessary burden on small businesses.
In a statement released in relation to the new ACT, Senator Cortez Masto said “My legislation takes a proactive approach to protecting consumer data by ensuring Americans have a voice in how their consumer data is used. I’m proud to introduce this legislation with my colleagues and will continue this fight to strengthen consumer privacy and data security.”