Privacy Laws in the U.S.
Privacy laws in the US have been an ongoing topic of conversation since the Cambridge Analytica scandal (consumer data was gathered from Facebook to influence voter behavior), and the implementation of the General Data Protection Regulation in the European Union in early 2018. Together these major events raised consumer awareness of the data-as-a-service concept, whereby companies use consumer data for profit. The awareness has sparked questions throughout the United States about where the line is when it comes to online privacy.
The overall idea that personally identifiable information is private has been a point of discussion for more than a hundred years in the United States; however, the right to privacy is not guaranteed by the United States Constitution. Data privacy is not ingrained in American culture the same way as in Europe and other parts of the world. This contributes to the fact that there are few federal laws regulating data protection requirements. Several states, however, are tackling the question.
50 Paths to Privacy
U.S. State-Level Privacy Laws
In 2002 a push began in California to notify consumers if their data was compromised by a breach. By 2018 all 50 states had some type of law requiring businesses to notify consumers if their data had been compromised by a breach. However, that’s 50 different ways of understanding what is meant by personal information, what constitutes a breach and what should happen when one occurs.
Similarly, in 2018, several states began passing laws that go beyond simple data breach notification. Again, California led the way when it passed the California Consumer Privacy Act, giving its residents specific rights over their data. In Vermont the focus was on regulating those who buy and sell data. Iowa took steps to protect students, limiting data handling practices for companies whose user base is primarily kindergartners through high schoolers. And an additional nine states strengthened or added data breach laws in 2018: Alabama, Arizona, Colorado, Louisiana, Nebraska, Oregon, South Carolina, South Dakota and Virginia.
United States Federal Data Privacy Law Outlook
While state attention on data privacy is an important step forward in the United States, it leaves the country with a mixture of different approaches to protecting its citizens’ data. That can quickly become overwhelming and unclear for businesses trying to comply with a myriad of different requirements at once.
Congress has begun to explore the topic. In 2018 they heard testimony from several technology giants – Google, Apple, Twitter, etc. – who supported a nationwide data privacy law which could streamline compliance efforts.
Most recently, the Data Care Act was proposed. If enacted, it would be the first federal step towards overseeing data privacy. The bill outlines the scope of personally identifiable information, requires processors to protect consumer data, extends protections to use by third parties, and identifies the Federal Trade Commission (FTC) as the regulatory body. It gives states’ Attorney Generals the right to bring civil cases against service providers.
While a reasonable step forward, the Data Care Act is one of several proposals under consideration. It will likely change over time before it, or some form of it, becomes a federal law.
Protecting Your Company from Privacy Laws
That said, it is likely that federal data privacy legislation will happen in the near future. Between that, the existing state-level laws and those in other parts of the world, businesses of all sizes must start seriously evaluating their data handling processes and putting the necessary safeguards in place. Even if they aren’t yet beholden to some form of data privacy law, businesses need to start preparing for the inevitable.
Start thinking beyond simply stopping a breach and:
- audit where and when data is collected,
- document and automate processes for data handling,
- review and update notifications, privacy policies and other data-related statements,
- evaluate opt-in/opt-out mechanisms,
- establish communication processes for when a breach occurs, and
- train internal teams on appropriate data safety precautions.
The reality is that there are a thousand reasons why a data breach may occur, and another thousand ways in which businesses can respond. As such, there’s no one simple solution to what’s required to keep people safe. But logical precautions and good intentions will go a long way toward making sure that consumers feel like you have their best interests at heart – and may help reduce any data privacy law consequences you face.