A year ago, the possibility of enacting consequential U.S. data privacy legislation was incomprehensible. Rep. Will Hurd (R-TX) claimed as much when asked whether a U.S. version of the European Union’s General Data Protection Regulation (GDPR) was likely. He argued, “A year ago, the answer would have been not ‘no’, but ‘hell no’.” But what a difference a year makes. Following the mega breaches, unauthorized or obscure data sharing with third-parties, coupled with both state-level laws (e.g., the California Consumer Privacy Act, CCPA) and international regulations such as the GDPR, Congress is increasingly pressured to implement a U.S. federal data privacy law.
This is long overdue and reflects how much U.S. policy lags behind other nations. The most notable recent cybersecurity law was the Cybersecurity Enhancement Act of 2014, but that largely established voluntary standards for organizations and lacked any repercussions for non-compliance. Instead, data privacy in the United States has been segmented by industry-specific policies such as the Health Insurance Portability and Accountability Act or the Federal Financial Institution Examination handbook.
States are also passing their own legislation. The CCPA is the most far-reaching and includes consumer access to data and erasure, opting out of data selling, transparency with user agreements and penalties for violations. Vermont also recently passed data broker regulations that include encrypting data, reporting breaches, and greater transparency with opting-out. Moreover, with South Dakota and Alabama passing data breach notification laws in 2018, all fifty states plus Guam, Virgin Islands, Puerto Rico, and Washington, DC, now have distinct data breach notification laws.
This combination of global and domestic forces bodes well for data privacy to remain within the public conscience, but can the U.S. finally pass impactful data privacy legislation? Over the past year, several proposals have emerged in Congress, but have made little progress. For instance, the Consumer Data Protection Act of 2018 provides the Federal Trade Commission (FTC) greater oversight on preventing the monetization of consumer data through automated processes, including the application of personal information, rights, and biases. It includes a fine up to 4% of annual revenue for violations. Last summer, Rep. Hank Johnson (D-GA) introduced two bills that focused on protecting data on mobile devices and one on opting out of data collection. A bipartisan bill introduced by Senators Amy Klobuchar (D-MN) and John Kennedy (R-LA) focuses on data collection and use by social media companies, while the recent Data Care Act introduced by over a dozen Democrats mandates consumer data be secured and used in the consumers’ best interest, not that of the corporation.
While these proposals signal the importance of data privacy, a comprehensive federal regulation is required to streamline business processes, stimulate innovation, protect consumers, and introduce an American data privacy model with global impact. There are several overarching rights that should be included in a federal data privacy law. The CCPA is a great place to start for baseline requirements, including the private right of action to ensure accountability if a breach occurs and data is not encrypted or anonymized. As we’ve seen, accountability is critical to driving responsible data security behaviors, which is why a federal breach notification requirement with strong and consistent penalties is also necessary.
Next, there must be greater transparency regarding data collection: how data is being used, and who has access to it (e.g., right to know and right to access). This would require an overhaul in some areas, such as terms of service agreements that obscure instead of inform the public, and providing a clear mechanism to enable individuals to opt-out of having their data resold.
Finally, while a federal law should emulate several core rights from the CCPA and GDPR, there are aspects of recent laws that should not be replicated. For instance, Australia recently passed legislation that requires authorized access, echoing the joint proposal released last summer by Britain, Australia, Canada, New Zealand and the United States. If implemented in the U.S. with the same language, access requirements weaken security and could be leveraged by bad actors as well.
If last year is any indication, we are in the early phase of a much-needed movement toward data privacy within the United States. Comprehensive data privacy regulation should be the enabler that streamlines business regulations, strengthens security, sparks innovation, and ushers in U.S. global leadership in an area where it has largely been absent. Instead of waiting for additional international regulations to shape the U.S. economy and society, an American data privacy model would return greater self-determination and strengthen national and economic security.