DATA Privacy Act

Digital Accountability and Transparency to Advance Privacy Act or the DATA Privacy Act

This bill establishes information security requirements for businesses that collect, process, store, or disclose information relating to at least 3,000 people in a 12-month period. The bill applies to information that may be linked to a specific individual or a device associated with a specific individual. It does not cover data related to employment or publicly available government records.

Specifically, covered businesses must

• provide consumers with accessible notice of the business’ privacy practices with respect to such information; and
• if meeting a certain revenue threshold, appoint a privacy officer to oversee compliance with the information privacy standards of this bill.

The bill further requires the Federal Trade Commission to promulgate rules requiring covered businesses to

• limit the purpose and amount of consumer data collection to reasonable business purposes, provide consumers with clear methods to opt-in and opt-out of such collection, and refrain from using such data for discriminatory purposes;
• provide consumers with a method to access, revise, transmit, and delete such collected information; and
• establish information security practices based on the sensitivity and level of identifiability of the collected data, risk of exposure of such data, widely-accepted practices of securing such data, and cost and impact of implementing such practices.

The bill further revises the National Science Foundation information security grants program to include research about methods to encrypt or remove identifiable elements from collected consumer data.