- Sen. Catherine Cortez Masto, D-Nevada, recently unveiled her take on data privacy legislation that would require companies not covered by HIPAA to get explicit consent from patients before gathering and sharing health and genetic data.
Cortez Masto joins several other Congressional members to propose data privacy legislation in recent months. Sen. Marco Rubio, R-Florida, recently released his take, the American Data Dissemination Act of 2019, which would supersede the patchwork of state laws.
The bills come on the heels of intense data privacy scrutiny from Congress. Both the House and Senate held separate data privacy committee meetings this week, which centered around the risk posed by companies gathering and collecting data, including health information, without explicit consent.
Cortez Masto’s bill addresses those concerns with the goal of fostering “the use of new data security and privacy protection best practices and holds major corporations that handle consumer data accountable without placing unnecessary burdens on small businesses.”
“My legislation takes a proactive approach to protecting consumer data by ensuring Americans have a voice in how their consumer data is used,” Cortez Masto said in a statement.
“This bill requires companies put data protection and transparency first, while also requiring Congress and our government agencies step up to make the private data of consumers in Nevada, and across the country, a priority for protection,” she added.
To accomplish this, the legislation would require companies to provider individuals with reasonable access to a method that would allow them to opt in or out of data collection and sharing. The bill covers the collecting and storing of sensitive data, such as biometrics, genetics, or location data.
The consent form must outline how that data will be used. And the bill will also let consumers request, dispute the accuracy of their records, and transfer or delete their data “without retribution” around price or services offered.
Further, organizations would need to apply three standards to all data collection, processing, storage, and disclosure.
First, collection must be for a legitimate business or operation purpose, without subjecting individuals to unreasonable risks to their privacy. Further, the data may not be used to discriminate against individuals for protected characteristics, such as religious beliefs. Lastly, companies may not engage in deceptive data practices.
The bill will also require companies that collect data on more than 3,000 people a year to provide consumers a privacy notice that is “understandable to consumers and that accurately describes their privacy policies.”
Those businesses must also “prioritize protecting consumer data through technological, administrative, and physical means based on the privacy risk, while ensuring small businesses are protected from onerous requirements and unnecessary regulations.”
The bill also requires those larger organizations with more than $25 million in annual revenue to appoint a privacy protection officer to train staff and create a sound culture around data privacy. It also empowers state attorneys general and the Federal Trade Commission to levy civil penalties for violating the law.
Much of the bill’s language reflects the increasing focus on privacy in the Congressional space, especially in light of Facebook’s data collection processes. A recent complaint to the Federal Trade Commission blasted the social media platform for allegedly exposing users’ health data in purportedly private groups. In response to these reports, New York is investigating Facebook’s health data practices.