Senator Catherine Cortex Masto (D-NV) has introduced a new bill which aims to tackle concerns consumers face about the collection and use of their data.
Senator Catherine Cortex Masto’s “Data Privacy Act” calls for organisations to be more transparent with consumers regarding their data collection practices. Furthermore, it offers improved privacy protections for consumers and prohibits organisations from using discriminatory data practices.
Under HIPAA, covered entities (CEs) must obtain consent from patients before disclosing their health information to third parties. There are some exceptions, such as if the information is being disclosed for the provision of healthcare, payment for healthcare, or healthcare operations. These rules do not restrict any organisation that is not covered by HIPAA, and therefore consumers may have their data passed on to third parties without their knowledge or consent.
There is no federal law addressing these data privacy issues, although Congress is assessing privacy protections for consumers. Several states have introduced (or are in the process of) new laws covering health and other sensitive data collected by entities that are not covered by HIPAA to close this legislative gap. Therefore, protection varies on a state-by-state basis.
The Digital Accountability and Transparency to Advance Privacy (DATA Privacy) Act calls for data privacy protections to be introduced to limit the collection of personal data, to protect data that are collected, and to prevent personal data from being used to discriminate against individuals. Many comparisons can be drawn between the protections it wishes to grant consumers and those granted by Europe’s recent General Data Protection Regulations.
Some changes introduced by the Data Privacy Act would include:
Consumers having power over what information is collected, how it is used, and with whom the information can be shared
Requiring that companies provide consumers with the option of opting out of the collection and sharing of sensitive data, including biometric data, genetic information, and location data
Requiring that companies inform consumers of what information is collected, how it will be used, and with whom it will be shared
Consumers must be able to check the accuracy of their data
Companies must provide consumers with a copy of the data that has been collected upon request
Consumers must be able to transfer or delete their data without any consequences
Only certain types of data can be collected
Companies must only collect data if there is a legitimate reason to do so
The bill also contains legislation that aims to protect consumers from discriminatory targeted advertising practices based on race, sex, gender, sexual orientation, nationality, religious belief, or political affiliation.
The Data Privacy Act requires any company that collects the personal data of more than 3,000 individuals in a calendar year to provide consumers with a notice of their privacy policies that describes how their data will be used. Any business with annual revenues of more than $25 million will also be required to appoint a Privacy Officer. The Privacy Officer would be responsible for a variety of privacy-related issues, including HIPAA training staff on data privacy.
The FTC and state attorneys general will be given the authority to enforce compliance with the new Act and issue financial penalties to companies found not to be in compliance.
“My legislation takes a proactive approach to protecting consumer data by ensuring Americans have a voice in how their consumer data is used,” said Cortez Masto. “I’m proud to introduce this legislation with my colleagues and will continue this fight to strengthen consumer privacy and data security.”