What Tech Companies Need to Know About the SAFE DATA Act
Youāre probably well aware of the General Data Protection Regulation (GDPR) in Europe and Californiaās Consumer Privacy Act (CCPA). These two privacy laws provide fairly stringent requirements for businesses to uphold consumersā and employeesā right to privacy, and they use significant monetary penalties to punish those who break the law.
But what about a federal privacy law here in the United States? When will we have one, what will it cover, and what will businesses have to do to stay compliant?
Weāre getting close to having a national data privacy and security standard.
Over the last two years, multiple federal information privacy bills have found their way to Congress. Itās unlikely anything will pass during the remainder of the term, but Congress seems primed to legislate on data privacy in the upcoming sessionāpossibly running with the latest bill introduced by GOP senators known as the SAFE DATA Act.
In this article, weāll get you up to speed on recent developments in U. S. federal privacy legislation and go in-depth on the SAFE DATA Act. Weāll break down what your organization needs to do to prepare for the passage of a federal privacy law to ensure youāre effectively managing your privacy, cybersecurity and compliance risks.
SAFE DATA Act

Several signs support the trend that U.S. lawmakers are in favor of enacting a federal privacy law. The GDPR passed in 2018, and the CCPA came into enforcement on July 1, 2020. Senator Maria Cantwell (D-WA) put forth a federal privacy bill last year. Several GOP senators collaborated on the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA Act) in September of 2020.
The SAFE DATA Act shows promiseāitās a conglomeration of three previously introduced bills: the discussion draft of the U.S. Consumer Data Protection Act, the Filter Bubble Transparency Act, and the Deceptive Experiences To Online Users Reduction Act.
This law would expand whatās considered sensitive data and include enacting data security standards to accompany data privacy standards. It would create rights to transparency, access, deletion, correction, and portability and require opt-in consent to process or transfer āsensitive covered data.ā Under this law, businesses would need to name privacy and data security officers within their firms and meet āreasonableā and āappropriateā data security requirements.
Itās important to note a couple of additions to the new SAFE DATA Act bill. This bill introduces an algorithmic ranking system to determine how content can be presented to consumers. It also establishes regulations for the āmanipulation of user interfacesā, which prevents deceptive UIs from coercing customers into giving up personal data.
The SAFE DATA Act would be enforced by the FTC and state attorneyās general, take precedence over state privacy laws, such as CCPA, and would not include a private right of action. These last two are partisan contention points, differing drastically from Democrat Maria Cantwellās competing bill of the previous year.
The SAFE DATA Act has drawn criticism for a perceived weakness: It collects data on a notice-and-consent basis. Many feel it lacks bite because companies can collect whatever data they want, providing itās disclosed in their privacy policyāthe one most people never read.

The key to staying safe: maintaining a consistent infosec compliance program
There are plenty of guides on creating effective data privacy programs, but here we will be focusing on the security side of data privacy.
The SAFE DATA Act and other bills introduced by Democratic senators require organizations to maintain a baseline level of data security. To be compliant, your organization will need to maintain an ongoing information security compliance program to minimize privacy compliance risk.
If the new federal privacy law is modeled after the GDPR and the CCPA, the law will hold your organization responsible for your third partiesā action. Your vendorās privacy slip can become your compliance violation. Needless to say, your organization must clearly understand and approve the risk profile of any partner you allow near your sensitive customer data.
Do you know how many third parties have access to sensitive data from your company and your customers? If you donāt, you should find out immediately.
According to a Ponemon institute, the average company shares confidential sensitive information with approximately 583 third parties. Even worse, only 34% keep a comprehensive inventory of these third parties. (source)
How to strengthen your risk management practices
Maintaining an effective information security compliance program starts with a thorough understanding of your risk landscape. What are the biggest risks in your environment? What controls do you already have in place to mitigate those risks?
Once control are identified, itās worthwhile to see how your controls stack up against standard controls in compliance frameworks such as the NIST SP 800-53 (National Institute of Standards and Technology) or ISO 27001 (International Organization for Standardization)
For instance, NIST SP 800-53 is a good reference framework to use because it offers a layered approach to cyber protection. It acknowledges that risks can be introduced in many ways, and risks may be realized even when you have solid, preventative controls in place. It recommends that organizations think through the preventative elements as well as the response elements of their infosec compliance program.
NIST SP 800-53 emphasizes five key areas: Identify, Protect, Detect, Respond, and Recover, and offers somewhere between three to six controls for each area.
Invest the time to implement controls in all five areas, and your organization can be confident that youāre reasonably secure across both cloud and traditional environments.
However, even after youāve checked to see that the right controls are in place to cover high risk areas, the work still isn’t done. Risk profiles can change by the minute as attackers devise new sophisticated schemes and as business units incorporate new tech into their operations, launch new digital initiatives (e.g., customer-facing mobile apps), and onboard new vendors.
Integrate compliance into business operations
Many issues arise when infosec compliance teams remain unaware of business operation changes — changes that may render existing controls obsolete. For instance, during the COVID-19 pandemic, a company might lay off employees and neglect to tell the security team, so user access controls might remain valid when they should be deleted.
Or the company might begin processing certain transactions on new apps, exposing confidential data to vendor risk. In both cases, the security risks there are well understood and can be controlled. The true risk is poor integration that leaves the security team isolated from the companyās changing risk profile.
Your infosec compliance team needs to have a way to regularly observe, test, and review your security policies, procedures, and controls. They need to have tools that allow them to spot issues in real time and respond quickly.
Unfortunately, modern infosec compliance teams stare down a rigorous challenge in keeping security controls current and policies relevant. Change happens fast in business, and compliance teams often struggle to identify control owners and stay in the loop. Busy schedules keep compliance teams on-the-go, often without the time to adequately observe and supervise the controls around critical systems.
Facing this adverse landscape, many forward-looking organizations turn towards innovative compliance operations software providers such as Hyperproof. Hyperproof knows that managing a compliance program consistently requires a lot of hard, tedious work. This work, when left undone, leaves an organization vulnerable.Ā
Hyperproofās solution is to make the work of maintaining a consistent infosec compliance program manageable. By using Hyperproof, compliance managers are able to:
- Reduce repetitive administrative work around key processes, such as collecting evidence for audits
- Assign controls to individuals or teams in business units and automate reminders for people to review their controls and provide fresh evidence
- Supervise, continually check, and critically observe the controls in place around compliance requirements and documented risks
- See the organizationās compliance posture in real-time and identify next steps to strengthen their compliance program
When an organization does all of their compliance work in a single platform like Hyperproof, itās much easier to demonstrate that the company takes information privacy very seriously should there be a breach that requires reporting to authorities.
This is important because, although civil penalty amounts havenāt been specified, itās possible the SAFE DATA Act may borrow a page from the CCPAāadministering lesser financial penalties for organizations capable of proving the existence of functional data privacy and security compliance program prior to an infraction. For that reason, you will want to keep a detailed record of your infosec and data privacy policies, be able to show youāve regularly tested and reviewed controls, and ensure all documentation of compliance activities is readily accessible.

Looking forward
Respecting your customerās privacy and protecting their sensitive data couldnāt be more critical in todayās business world. With a federal privacy law around the corner, wise organizations understand the advantages of being proactive. Successful teams will look to risk management frameworks like NIST and ISO for guidance, weave compliance into the company culture, and use modern tools to improve their ability to monitor and evolve their compliance program as regulations, technology, and their business landscape evolve.
Make no mistakeāthe daily management of compliance isnāt easy, and the coming federal privacy law will only raise the stakes. Start preparing today so your organization will be poised to lead in a world where privacy protection and regulatory compliance are paramount to business success. To learn more about how Hyperproof can support your organizationās effort to mitigate privacy and security risks, sign up for a personalized demo.
See Hyperproof in Action
Related Resources
Ready to see Hyperproof in action?










