Democratic senator introduces data privacy legislation

Sen. Catherine Cortez Masto (D-Nev.) is introducing legislation aimed at strengthening data privacy protections for American consumers.

The Digital Accountability and Transparency to Advance Privacy Act would apply standards to all data collection, processing, storage and disclosure — including that it only be done for legitimate business or operational purposes.

The legislation would also bar companies from using consumer data in discriminatory ways and from engaging in deceptive data practices.

Consumers would be given the right to request, contest, transfer or delete data collected on them without retribution.

The act would require businesses to let consumers opt out of most personal data collection and require opt-in consent for sensitive information, including health and precise geolocation data. Opt-in consent would also be required for use of data for anything outside of the direct business-to-consumer relationship.

Businesses that collect, store or process data on more than 50,000 people a year would be impacted by the legislation.

Those covered businesses making more than $50 million per year would also be required to designate a privacy protection officer to set standards and train staff. 

“Big technology companies shouldn’t be gathering mountains of consumers’ data without their knowledge and consent,” Cortez Masto said in a statement. 

The Nevada lawmaker’s bill comes as lawmakers have struggled to get a federal privacy standard over the finish line despite years of promises.

It also provides a different angle to remedy some of the biggest issues dogging Big Tech firms like Facebook, now rebranded as Meta, without getting into thorny debates about limiting speech.

Previous data privacy bills have gotten hung up on two key issues: whether federal frameworks should preempt state legislation and if individuals should have the right to sue over violations.

Cortez Masto’s bill cedes some ground to Republicans who opposed letting individuals sue over fears of bogging down businesses in courts, giving enforcement authority to the Federal Trade Commission and state attorneys general.

It does hold the line on preemption though, allowing states to set more rigid frameworks if they so choose. Business groups have long opposed letting a federal framework serve as a floor for data privacy, arguing that letting states add on rules would create a patchwork of requirements that would hamper companies.

Businesses are already required to comply with the California Consumer Privacy Act and Europe’s General Data Protection Regulation, as well as upcoming rules in Virginia and Colorado.