The Data Care Act – A New Federal GDPR-Style Data Privacy Bill

Data privacy regulations have been introduced in the 50 states, although, there is no federal data privacy legislation in the United States. However, a bill has been introduced which could replace the patchwork of current privacy laws.

On December 12, 2018, 15 U.S. senators led by Brian Schatz, (D-Hawai’i), presented the Data Care Act. If the Act is signed into law, it would require all organizations that collect personal information of consumers to implement safeguards to make sure that information is secured. Companies would also be required to just use personal information for specific purposes and not in ways that could cause harm to consumers.

The bill was presented roughly 7 months after the introduction of the General Data Protection Regulation (GDPR) by the EU and mirrors many GDPR Rules. Much like the GDPR, the bill puts limitations on the collection, usage, and sharing of personal data and introduces new rights for consumers to allow them to access and update their personal data and have it deleted.

The bill also requires companies to reveal the names of entities to whom users’ personal information have been disclosed and which organizations and individuals have been authorized to use that information.

Some of the areas where GDPR and the Data Care Act differ are listed below:

The Data Care Act..

  • Doesn’t include the right of consumers to limit or object to the handling of personal data
  • Doesn’t have data breach notification requirements
  • There’s no need to appoint a Data Protection Officer
  • There is no need for risk assessments related to high-risk processing activities

The Data Care Act will be enforced by the Federal Trade Commission which can issue fines for noncompliance, as can state attorneys general.

GDPR violations can draw a penalty as high as €20 million or 4% of global yearly turnover, whichever is higher. The maximum fine for violations of the Data Care Act is set at $16,500 per covered person.

The bill is mainly focused on introducing new privacy laws for online organizations, ISPs and FCC common carriers, though it also has implications for regulated sectors like the financial services and healthcare companies.

The Data Care Act covers health information in three categories:

  • Health information associated with the provision of medical services in connection with a person’s physical and mental health
  • Health information processed in relation to providing health and wellness services
  • Health information from medical tests, such as genetic and biological tests

The FTC is also authorized to further specify the types of data categorized as health information.

People will have the right to complain about the completeness of their personal health information (PHI), although the Act does not preempt laws addressing the collection, usage, or sharing of health data covered by HIPAA or financial data covered by the Gramm-Leach-Bliley Act.

Senators Maggie Hassan (D-N.H.), Tammy Duckworth (D-Ill.), Michael Bennet (D-Colo.), Patty Murray (D-Wash.), Amy Klobuchar (D-Minn.), Cory Booker (D-N.J.), Martin Heinrich (D-N.M.), Catherine Cortez Masto (D-Nev.), Sherrod Brown (D-Ohio), Ed Markey (D-Mass.), Tammy Baldwin (D-Wis.), Joe Manchin (D-W.Va.), Doug Jones (D-Ala.), and Dick Durbin (D-Ill.) co-sponsored the bill.

The bill’s discussion draft is available for download from the Center for Democracy and Technology here.