Safe Data Act: A New Privacy Law in the Town

The Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act was introduced in the US Senate in 2020. It did not become law, but the bill is worth understanding because it telegraphed where federal US privacy regulation was heading, and many of its ideas have resurfaced in later proposals.

For anyone running a product that touches US consumer data, the SAFE DATA Act remains a useful reference point.

What the bill would have done

SAFE DATA proposed a federal baseline of consumer privacy rights, modelled loosely on GDPR and CCPA but with US-specific carve-outs. The headline provisions:

• Consumer rights. Access, correction, deletion, portability, and opt-out of targeted advertising.
• Data minimisation. Businesses can only collect and process data needed for the purposes disclosed to the consumer.
• Sensitive data category. Stronger consent rules for data on health, finance, location, biometrics, and children.
• Algorithmic transparency. Disclosure when automated decisions produce legal or significant effects.
• Federal preemption. The federal law would have replaced most state privacy laws, including CCPA.
• FTC enforcement. Expanded FTC authority plus state attorneys general.

Why it mattered even though it did not pass

Three reasons SAFE DATA is still relevant:

• It set the template. Later federal proposals (ADPPA, APRA) borrowed its structure: consumer rights, data minimisation, sensitive-category protections, FTC enforcement.
• It clarified the fights. The two questions that killed every federal proposal so far are preemption (does federal law replace state law?) and private right of action (can consumers sue directly?). SAFE DATA picked one side of each, and that picked-side analysis still applies.
• It influenced state laws. Several state legislatures lifted language directly from federal proposals into their own bills.

The questions any federal privacy law has to answer

• Does it preempt state law? Industry wants yes. Consumer advocates want no. There is no obvious middle ground.
• Can individuals sue? A private right of action dramatically increases enforcement reach and dramatically increases business cost.
• What counts as sensitive data? Each new category adds compliance burden but also closes a loophole.
• How does it treat AI and automated decisions? The newest battleground, and the one most likely to evolve fastest.
• What is the small-business carve-out? Threshold too low and small businesses cannot comply. Threshold too high and most of the market escapes.

What this means for product teams

Even without a federal law, the direction of travel is clear:

• Build for the strictest privacy regime that applies to you. Today that is usually GDPR or CPRA. Federal law, when it lands, will likely be no stricter.
• Treat consent and data-subject rights as first-class product features, not compliance tasks.
• Minimise data collection. The cheapest data to govern is data you never collected.
• Build transparent automated-decision flows now. The rules are coming and retrofitting them is expensive.

The bottom line

The SAFE DATA Act did not pass, and no federal US privacy law has passed since. The state patchwork keeps growing. Companies that treat each new state law as a fire drill burn out. Companies that build one privacy programme to the strictest applicable standard scale calmly through whatever Washington eventually does.