Federal data privacy regulation is on the way
It’s only a matter of time before the United States passes federal data privacy legislation, and it will deliver multiple benefits for consumers and businesses alike. This trend started in earnest with the passage of the California Consumer Privacy Act in 2018, and California voters added new momentum on Election Day 2020 when they approved Proposition 24, also known as the California Privacy Rights Act. Although the CPRA isn’t as comprehensive as the EU General Data Protection Regulation, it is the strictest data privacy law in the U.S. The CPRA draws on many key aspects of the GDPR, and it reflects a growing awareness of data privacy risks among lawmakers, consumers and businesses.
Instead of a hodgepodge of disparate state laws, federal privacy legislation would give consumers across the nation a clearer understanding of their rights, and it would help businesses grasp their specific obligations for achieving compliance. The push for privacy legislation in Congress has increased since 2019, when Sen. Ed Markey, D-Mass., introduced the Privacy Bill of Rights Act, followed by Sen. Maria Cantwell’s, D-Wash., Consumer Online Privacy Rights Act and Sen. Roger Wicker’s, R-Miss., United States Consumer Data Privacy Act. Those bills informed congressional debate and led Wicker to introduce the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act in September 2020. However, the Safe Data Act still faces challenges on several contentious issues, such as the preemption of state privacy laws and lack of a private right of action, which would allow consumers to file class-actions for certain violations.
Those legislative proposals reflect the willingness of U.S. lawmakers on both sides of the aisle to enact a comprehensive, overarching data privacy framework. For companies seeking clarity amid uncertainty, it’s important to recognize the advantages that a federal privacy law offers. In addition to giving consumers more control over their personal data, it would provide businesses with a legal standard for how to collect, store, use and share data, and it could also help businesses meet applicable data privacy requirements in international jurisdictions.
The status of privacy laws in the US and globally
As data became the lifeblood of the digital economy, it was inevitable that increased regulation of how that data is used would follow. Moreover, privacy laws are hardly new to the U.S. The right to privacy is alluded to in the Fourth Amendment of the U.S. Constitution (“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated … ”).
Various federal laws — including the U.S. Privacy Act of 1974, Health Insurance Portability and Accountability Act of 1996, Children’s Online Privacy Protection Act of 1998, and 1999 Gramm-Leach Bliley Act — specifically protect the rights and data of U.S. consumers, patients, minors and others. Additionally, all 50 states, as well as the District of Columbia, Puerto Rico, Guam and the Virgin Islands, already have data breach notification laws. However, in the absence of a federal data privacy law, CCPA copycat regulations continue to build on industry and sector-specific models that have been adopted in the U.S., creating a situation that drives confusion and increases costs for companies of all sizes.
Comprehensive regulations, such as the GDPR or Brazil’s General Data Protection Law, provide succinct frameworks and guidance that allow room for individual states to interpret certain aspects of the regulation differently while still providing general consistency. Canada, China and India have also proposed sweeping new privacy laws — or amendments to existing laws — that could be adopted during 2021.
Advantages of a federal privacy law
The trend toward improving and standardizing data privacy practices is not going away, and there are two distinct advantages to passing federal legislation on it. First, it would provide consumers more control over their personal data in a synonymous way. Similar to complying with HIPAA or COPPA, a single federal privacy regulation would allow companies to focus on building general compliance by establishing one framework that provides the most stringent regulation. Rather than deal with a patchwork of similar but divergent state laws, federal legislation would streamline the compliance requirements, helping businesses to understand their obligations and consumers to understand their rights. Organizations that make a concerted effort to protect consumer data also have an opportunity to strengthen consumer confidence.
Second, a federal privacy regulation would strive to meet the adequacy requirements of the GDPR and other comprehensive privacy frameworks abroad. The invalidation of the EU-U.S. Privacy Shield by the Court of Justice of the European Union in July 2020 created new uncertainty for businesses, and it highlighted the pressing need for a federal privacy law in the U.S. that conforms to GDPR requirements. This ruling on the Privacy Shield particularly affects large global companies headquartered in the U.S. Although the CJEU upheld existing standard contractual clauses for the time being, SCCs are also under legal scrutiny because U.S. surveillance laws are not necessarily compatible with the GDPR or EU’s Charter of Fundamental Rights. At the same time, the European Cloud Initiative (also known as GAIA-X) seeks to create stronger protections for the EU’s data infrastructure. Federal privacy legislation in the U.S. could help allay the concerns of EU lawmakers and businesses by unifying the data protection framework across the U.S., which would help clear certain barriers to international data transfers.
Proactive steps to take now
Many U.S. companies have already taken steps to comply with the GDPR, which took effect in May 2018, and with the CCPA, which took effect in January 2020. These laws apply to any organization that collects and processes the data of consumers in the EU and in California, respectively. Having acted on those compliance obligations can give businesses a potential advantage over those that have not yet updated their policies and processes. And there are many businesses in the U.S. that the GDPR and CCPA do not apply to, so a significant adoption gap remains.
Of note, compliance is far from the only goal, as there are additional enterprise benefits that come from bolstering data protection. Building a comprehensive data inventory helps businesses understand precisely what data they have, how it’s used and stored, and where and how it’s shared across the data lifecycle. This inventory helps businesses manage and protect consumer data, in addition to facilitating consumer requests to access or delete their data. Further, improving data management helps an organization ensure data consistency and avoid dark or unstructured data, thereby improving data analysis and insights for decision-making.
The road ahead
Uncertainty remains about some provisions of a federal privacy law, and there will be more debate on key aspects ahead. Nevertheless, a clear and consistent U.S. framework for data privacy would have significant advantages for businesses and consumers alike. Rather than wait for the passage of federal privacy legislation, it can be beneficial for all U.S.-based companies to take proactive steps now to update their data protection practices, which can help increase firm-wide resilience and potentially avoid additional compliance costs down the line.