Digital Accountability and Transparency to Advance Privacy Act (DATA Act)


As of 2022, there is no singular, comprehensive federal decree governing data privacy in the United States; rather, there are a patchwork of laws that target very specific fields, offering protection for specific individuals in specific circumstances. Take the Family Educational Rights and Privacy Act (FERPA), for instance, which specifies which individuals can request student education records, or the Fair Credit Reporting Act (FCRA), which deals only with information in an individual’s credit report. Europe, on the other hand, has “the toughest privacy and security law in the world”—the General Data Protection Regulation (GDPR), which sets strict obligations for any organization that targets or collects data related to individuals within the European Union.[1]

It is for this reason that H.R. 5807, or the Digital Accountability and Transparency to Advance Privacy Act (DATA Act) was introduced in November 2021; by “[establishing] national data privacy standards in the United States,” it seeks to finally give an individual’s data the privacy and protections it has always needed.[2]

Required Data Practices

The DATA Act sets a one-year time limit for covered entities to implement the new regulations, procedures, and processes that meet the requirements as listed in the Act. This includes ensuring that all data collection, processing, storage, and disclosures

 1) meet a reasonable interest of the individual whose data is being handled,

 2) is relevant and appropriate to the context of the relationship between the
 individual and the covered entity,

 3) prevents and detects abuse, fraud, and other criminal activity, and

 4) engage in reasonable communication and marketing practices that follow a
 certain best and ethical standard.

Of course, the data collection can’t be for any discriminatory practice or a deceptive purpose, and covered entities must provide individuals with easy-to-find, easy-to-understand, and easy-to-complete methods to opt out of the data collection.

Privacy Notice

Under this section of the DATA Act, a covered entity has to give notice of

 1) what data it collects, processes, stores, and discloses, as well as the sources
 that provided the data if the entity didn’t collect the data itself,

 2) how and why they’re collecting, processing, and storing the data,

 3) the parties they’re disclosing the data to and why, and

 4) a conspicuous way for individuals to access the methods necessary to exercise
 their rights under later sections.

All of this must be posted in an obvious and accessible location, be written in clear and easy-to-understand language, and must be free of charge.

Individual Control Over Data Use

Individuals would be granted plenty of control over the collection and usage of their data under this Act. Upon request, an individual would get access to

 1) covered data that’s being stored about them,

 2) a means to dispute and resolve the accuracy (or lack thereof) of the covered
 data being stored about them,

 3) the deletion of their data,

 4) to transfer the data to the individual in a format that’s standardized and
 interoperable.

However, if a covered data is pseudonymous data, the covered entity can decline the request if it’s technically not feasible to hand it over. The entity must fulfill any of the above-mentioned requests as is reasonably possible, and cannot discriminate against an individual due to any action that the individual has taken.

The Act certainly has more to it, including sections that cover enforcement, a requirement for big corporations to have at least one qualified employee to act as a privacy protection officer, and so forth. It might not be as comprehensive or as strict as the EU GDPR, but it’s absolutely a step in the right direction to get standardized and comprehensive data protection for individuals within the United States.

Currently, the Act is still being introduced to the House, but we’ll hopefully have some good news soon.

[1] Ben Wolford, What is GDPR, the EU's new data protection law?, GDPR, https://gdpr.eu/what-is-gdpr/.

[2] Digital Accountability and Transparency to Advance Privacy Act, H.R. 5807, 117th Cong. (2021).

Subscribe to Delete Your Data

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe