S. 1151 - Personal Data Privacy and Security Act

in
Share this

See the 1-page pdf

Surreptitious computer users, errors and other factors have lead to high-profile security breaches of consumer’s personal information susceptible to criminal abuse like identity theft and fraud.

Points to appreciate in Senator Patrick Leahy’s S. 1151
S. 1151 has provisions that MRA supports and appreciates, such as:

  • the inclusion of both for-profits and not-for-profits (data breaches do not recognize the difference);
  • exemption from notification for breach of encrypted or undecipherable data;
  • a national standard, preempting the confusing and costly patchwork of state laws; and
  • the prohibition of private rights of action.

“Sensitive personally identifiable information” should not include factors such as date of birth, home address, and phone number
MRA is concerned that the inclusion of date of birth, or a home address or phone number as factors in the definition of “sensitive personally identifiable information” could compromise the ability of survey and opinion research, which can often require an accurate measure of an individual’s age as part of research studies.

The data broker provisions would imperil survey and opinion research
The definition of a “data broker”[1] would likely encompass companies that provide statistical samples for survey and opinion research. S. 1151 would require them to allow consumers access to data about them and an opportunity to correct inaccuracies.

The cost of access and the ability of companies to authenticate the identity of consumers requesting access are serious concerns and weigh heavily against survey and opinion research companies being required to grant access.

MRA seeks either the elimination of the data broker provisions in S. 1151, or an exclusion from these provisions for data brokers who solely serve bona fide survey and opinion research. The use of data should matter, not just its existence. Data collected, used and shared for survey and opinion research purposes should not be subject to access and correction – especially given that consumer concern focuses on commercial data brokerage for marketing, credit and employment purposes, not on research purposes.

Enforcement authority of State Attorneys General (AGs) in S. 1151 is excessive
State AGs, under S. 1151, could bring civil actions for excessive amounts of money, even when entities are already facing Federal civil or criminal actions for the same violations.

[1] Sec. 3(5) “DATA BROKER- The term `data broker' means a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purposes of providing such information to nonaffiliated third parties on an interstate basis.”