For the first time, a US national privacy law looks likely—and soon.
There’s been serious movement from both sides of the political divide, and strong and increasing action from some states.
The US has long been lagging behind the rest of the world in this. It’s one of the only major global economies without strong national privacy laws akin to the GDPR.
It almost goes without saying now that privacy laws are essential for many reasons not least of which is that in an increasingly digitized world, businesses simply must be better stewards of the vast volumes of users’ personally identifiable information, to uphold the fundamental human right to privacy and to protect users from harm.
For consumers, the delay in getting a national law has not been for want of trying. They’ve long been calling for change to how companies treat their personal data. In 2019, Pew Research revealed 75 percent of consumers want more privacy online. A US national privacy law is no longer about if but when.
Having a national privacy law would not only bring the US more into line with most other major economies it would establish a uniform set of data privacy rights for consumers and a single set of rules for business. While state-level action is applaudable—California and Virginia now have comprehensive privacy laws and we’re watching several other states with interest—only a federal law could offer blanket data protection.
Commentators on this issue are feeling optimistic, particularly this year, because from the plethora of federal privacy bills put forward, there are three standouts:
Consumer Online Privacy Rights Act (COPRA) (Democrats) – Sponsored in November 2019 by Democratic Senator Maria Cantwell of Washington, this bill is considered by some to be “GDPR-esque” and more consumer than business friendly. The bill requires “entities that process or transfer a consumer’s data to:
- delete or correct, upon request, information in an individual’s data;
- export, upon request, an individual’s data in a human-readable and machine-readable format;
- establish data security practices to protect the confidentiality and accessibility of consumer data; and
- designate a privacy officer and a data security officer to implement and conduct privacy and data security programs and risk assessments.”
The bill will also stop those entities from:
- “engaging in deceptive or harmful data practices;
- transferring an individual’s data to a third party if the individual objects;
- processing or transferring an individual’s sensitive data without affirmative express consent;
- processing or transferring data beyond what is reasonably necessary or for which they have obtained affirmative express consent;
- processing or transferring data on the basis of specified protected characteristics (e.g., race, religion, or gender);
- conditioning the provision of a service or product on an individual’s agreement to waive their privacy rights; and
- retaliating against an employee who provides information about a potential violation of the bill’s provisions, or who testifies or assists in an investigation or judicial proceeding concerning such a violation.”
If this bill succeeds, it would require the Federal Trade Commission to establish a new bureau to help enforce the provisions. Read what the EFF has to say about COPRA.
Setting an American Framework to Ensure Data Access, Transparency and Accountable Ability Act (SAFE DATA Act) (GOP) – Combining three previous bills, the SAFE DATA Act is considered by some as more “business friendly”. It is well summarized in this article from Security Boulevard:
“This law would expand what’s considered sensitive data and include enacting data security standards to accompany data privacy standards. It would create rights to transparency, access, deletion, correction, and portability and require opt-in consent to process or transfer “sensitive covered data.” Under this law, businesses would need to name privacy and data security officers within their firms and meet “reasonable” and “appropriate” data security requirements … This bill introduces an algorithmic ranking system to determine how content can be presented to consumers. It also establishes regulations for the “manipulation of user interfaces”, which prevents deceptive UIs from coercing customers into giving up personal data. The SAFE DATA Act would be enforced by the FTC and state attorney’s general, take precedence over state privacy laws, such as CCPA, and would not include a private right of action.”
The IAPP provides this handy infographic to show the combining of three bills into the SAFE DATA Act:
Information Transparency and Personal Data Control Act – Re-introduced by Congresswoman Suzan DelBene (WA-01) for the fourth time (the latest on March 10, 2021), this bill “… protects personal information including data relating to financial, health, genetic, biometric, geolocation, sexual orientation, citizenship and immigration status, Social Security Numbers, and religious beliefs. It also keeps information about children under 13 years of age safe.”Beyond this it requires businesses to write their privacy policies in simple language.
DelBene’s outlines the key elements of the Information Transparency and Personal Data Control Act as:
“Plain English: Requires companies to provide their privacy policies in “plain English”
Opt-in: Allows users to “opt-in” before companies can use their most sensitive private information in ways they might not expect
Disclosure: Increases transparency by requiring companies to disclose if and with whom their personal information will be shared and the purpose of sharing the information
Preemption: Creates a unified national standard and avoids a patchwork of different privacy standards by preempting conflicting state laws
Enforcement: Gives the Federal Trade Commission (FTC) strong rulemaking authority to keep up with evolving digital trends and the ability to fine bad actors on the first offense. Empowers state attorneys general to also pursue violations if the FTC chooses not to act
Audits: Establishes strong “privacy hygiene” by requiring companies to submit privacy audits every 2 years from a neutral third party.”
Enforced by the FTC, this bill also requires the FTC to hire 500 additional staff to focus on privacy and data security issues, 50 with technical expertise in the area, plus for the FTC to receive $350 million to implement the plan.
If enacted, Omer Tene, VP of the IAPP, says: “This will place the FTC at the forefront of the global regulatory effort to implement data protection laws and develop privacy policies.”
What would consumers get out of a national privacy law?
- Capacity to opt out of forming long-term relationships with companies for one-off transactions
- Freedom from needing to choose services and providers based on location, especially if a US national law works in with the GDPR
- New ways to engage with business for those willing to give companies access to their data (new business models emerging from this leveraging of personal information).
When we forecast where privacy will be in the next 10 years, we said that we believe by 2030 “opt out” won’t mean “miss out” and big tech will have abandoned the mantra that if you are not charged for the product, you are the product. We foresaw the regulatory environment supporting these changes, with consumers demanding to have their data collected but forgotten and legislation making this possible.
Now, we’re really seeing some evolution in this space. Let’s see how much longer this takes.