Nevada Senator Catherine Cortex Masto, (D-NV) recently proposed a bill called the Data Privacy Act, which aims to increase transparency of data collection practices, make companies more accountable for privacy, improve consumer privacy protections, and put an end to discriminatory data practices.
HIPAA-covered entities need to acquire patient consent before using or disclosing medical information for reasons not permitted by the HIPAA Privacy Rule; however, organizations not covered by HIPAA Rules are do not necessarily have to obtain consent.
A number of states have passed or are thinking of passing laws that cover health and other sensitive information gathered by organizations not covered by HIPAA, but there is no federal law requiring privacy protections. Congress is evaluating consumer privacy protections, but until a federal law is enacted, privacy protections are only enforced at the state level. Privacy protections differ considerably from state to state.
The bill, the Digital Accountability and Transparency to Advance Privacy (DATA Privacy) Act, introduces GDPR-style data privacy protections to restrict personal data collection, safeguard collected data, and prevent personal data from being used to discriminate against certain persons. In the event that the Data Privacy Act is passed, consumers will have greater control over the types of data collected, how personal information is used, and to whom it can be disclosed.
The Data Privacy Act requires organizations to give consumers a way to opt in or opt out of the data collection and disclosures of sensitive information such as biometric data, genetic data, and location details.
The data Privacy Act requires consumers to be informed about the data that is collected and used and with whom the data will be shared. There must be a process that allows consumers to verify the correctness of their information, to ask for a copy of the data that has been collected, to be able to transfer data and have personal information deleted without any adverse consequences.
There will also be restrictions on the information that may be collected. Firms will only be allowed to collect information if they have a legitimate business reason for so doing and people whose information is collected should not be subjected to unreasonable risks to their privacy. The bill also aims to stop the practice of discriminatory advertising practices based in race, sex, gender, nationality, political affiliation or religious belief.
Any organization that gathers the personal information of over 3,000 people in one calendar year must give consumers a copy of their privacy policies describing how collected data will be utilized.
Any business that generates over $25 million in revenue per year will need to designate a Privacy Officer, who will have the responsibility of training employees on data privacy.
The FTC and state attorneys general will be given authority to issue penalties for noncompliance with the data Privacy Act.