Share this article on:
Nevada Senator Catherine Cortex Masto, (D-NV) has introduced a bill – the Data Privacy Act – which calls for greater accountability and transparency for data collection practices, improved privacy protections for consumers, and the prohibition of discriminatory data practices.
HIPAA-covered entities are required to obtain consent from patients prior to using or disclosing their health information for reasons other than the provision of healthcare, payment for healthcare, or for healthcare operations. However, companies not bound by HIPAA Rules do not have the same restrictions in place.
Several states have introduced or are considering introducing laws covering health and other sensitive data collected by entities that are not covered by HIPAA in the absence of a federal law that provides such protections. While Congress is assessing privacy protections for consumers, currently protection is provided by patchwork of state laws. Privacy protections can vary greatly depending on where a person lives.
The bill – The Digital Accountability and Transparency to Advance Privacy (DATA Privacy) Act – calls for GDPR-style data privacy protections to be introduced to limit the collection of personal data, to protect data that are collected, and to prevent personal data from being used to discriminate against individuals.
If the Data Privacy Act is passed, consumers will be given a greater say about the types of information that are collected, how that information is used, and with whom the information can be shared.
The Data Privacy Act calls for companies to provide consumers with a method of opting in or opting out of the collection and sharing of sensitive data, including biometric data, genetic information, and location data.
Consumers must be told what information will be collected, how it will be used, and with whom it will be shared. A process must be created that allows consumers to check the accuracy of their data, to request a copy of the information that has been collected, and to be provided with the option of transferring or deleting their data without any negative repercussions.
Restrictions will also be placed on the data that can be collected. Companies will only be permitted to collect data if there is a legitimate business reason for doing so and individuals whose data are collected must not be subjected to unreasonable privacy risks. The bill also aims to protect consumers from discriminatory targeted advertising practices based on race, sex, gender, sexual orientation, nationality, religious belief, or political affiliation.
Any company that collects the personal data of more than 3,000 individuals in a calendar year would be required to provide consumers with a notice of their privacy policies that describes how their data will be used.
Any business with annual revenues of more than $25 million will also be required to appoint a Privacy Officer, whose responsibilities will include training staff on data privacy.
The FTC and state attorneys general will be given the authority to enforce compliance with the new Act and issue financial penalties to companies found not to be in compliance.
The Data Privacy Act is intended to improve privacy protections for consumers without placing an unnecessary burden on small businesses.
“My legislation takes a proactive approach to protecting consumer data by ensuring Americans have a voice in how their consumer data is used,” said Cortez Masto. “I’m proud to introduce this legislation with my colleagues and will continue this fight to strengthen consumer privacy and data security.”