After originally being brought to the US Senate in 2020, the SAFE DATA Act has now been re-introduced with changes to privacy protections related to opaque transparency. The parts that called for profiling and psychological research related to large online operators and social media platforms have also been removed.
The most important parts of the Act are very similar to the requirements that GDPR brought in across Europe in 2018. Some of the key points that are included are listed below:
- Right to opt out:
- Before any information about an individual is collected, processed or transferred they must be given a clear opportunity to opt out of such activities.
- Prohibition on inferred consent
- It will no longer be acceptable to infer consent. This means that an individual must provide affirmative express consent. This cannot be inferred from things such as inaction (not clicking a box to opt out of activities) or by the continued use of a service or product.
- Withdrawal of consent
- Individuals must be provided with a clear and conspicuous means to withdraw affirmative express consent.
- Data minimisation
- Data collected must not be beyond what is necessary to provide or improve a service, product or communication.
- Individuals have the right to access any data held on them. They also are able to have a list of third parties and service providers that have been transferred their data, if applicable.
- Individuals have the right to have their data deleted or de-identified.
- Privacy Impact Assessments (PIA)
- Large data holders must conduct PIAs once every two years to assess the processing activities involving data that may present risks. The assessment must weigh the benefits of its collection against the potential consequences to individual privacy.
Aside from stricter data regulations it will now be a requirement for companies to have a Data Protection Officer (DPO). The DPO will be responsible for coordinating the policies and practices involving personal data. They must ensure that they are all compliant with every aspect of the SAFE DATA Act.
Value Privacy has a lot of experience with being GDPR compliant in Europe. If we’ve learnt anything it’s that preparation for an Act this large cannot wait. If the SAFE DATA Act is passed, then it will come into effect 18 months after enactment. So, it’s important to get ahead now to make sure you don’t run out of time.
Even if the SAFE DATA Act isn’t successful in the Senate there are currently 33 states who have either adopted their own privacy laws or are in the process of creating their own. This is not something that can wait and that is what we are here to help with. Contact us for a free, confidential assessment to see how we can simplify this process for your company.