DATA Privacy Act
Digital Accountability and Transparency to Advance Privacy Act or the DATA Privacy Act
This bill establishes information security requirements for businesses that collect, process, store, or disclose information relating to at least 50,000 people in a 12-month period. The bill applies to information that may be linked to a specific individual or a device associated with a specific individual. It does not cover data related to employment or publicly available government records.
Specifically, covered businesses must
- provide consumers with accessible notice of the business's privacy practices with respect to such information; and
- if meeting a certain revenue threshold, appoint a privacy officer to oversee compliance with the business's privacy practices.
The bill further requires the Federal Trade Commission to promulgate rules requiring covered businesses to
- limit the purpose and amount of consumer data collection to reasonable business purposes, provide consumers with clear methods to opt-in and opt-out of such collection, and refrain from using such data for discriminatory purposes;
- provide consumers with a method to access, revise, transmit, and delete collected information; and
- establish information security standards based on the sensitivity and level of identifiability of the collected data, risk of exposure of such data, widely-accepted practices of securing such data, and cost and impact of implementing such practices.
Finally, the bill requires the National Science Foundation, and other agencies, to support research of technology that increases the privacy and confidentiality of collected data.
Read twice and referred to the Committee on Commerce, Science, and Transportation.