America wakes up to privacy regulation

“America will have a Federal privacy act by the end of 2019, coming into play by the end of 2020.” This bold prediction was made to me by analyst firm IDC in a recent discussion regarding the impact of GDPR on global data protection. This would represent a radical attempt to consolidate all 50 states’ disparate laws - but with much of the world already adhering to GDPR principles, is America not just late to the party? So why now?

Much of the timing has to do with America’s approach to privacy. The Europeans have approached legislation on the principle that they see privacy as a human right, whereas the U.S. approach is to put legal compliance first. Alternatively put, an ethical and aspirational approach versus what is commercially or practically achievable.

The initial drive for U.S. privacy laws was arguably triggered by a commercially pragmatic view that GDPR compliance is a cost of doing business with or in the EU. But in the light of recent high profile scandal scandals like Cambridge Analytica, there is a growing understanding that stronger protections are needed, and privacy is being embraced by US-based Big Tech as a competitive differentiator. Mark Zuckerberg in an open letter has stated that “New privacy regulation in the United States and around the world should build on the protections GDPR provides.”

On a state level, America has a good record on data breach legislation - all 50 states have implemented rules requiring notification to individuals when their personal information (PI) has been compromised. But straight away the problems are evident – there are 50 different approaches to mitigation and penalties for organizations to comply with.

California was one of the first states to initiate data breach laws and it is still leading the charge with the California Consumer Privacy Act (CCPA). Signed into law in June 2018, it will become effective on January 1st, 2020 and be the first state to offer an overarching data protection law. (It should be highlighted that while the CCPA has been called ‘GDPR-like’, it is notably different.)

Other states are following suit with many including Colorado, Ohio, Vermont, Virginia and Washington implementing or planning privacy legislation. The potential for chaos and hence the need for a fast Federal response are both evident: In Jan 2019, A Government Accountability Office (GAO) report stated that, 'Congress should consider developing comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment.’

Will Congress be able to react before the CCPA comes into effect? That remains to be seen but in the meantime that leaves organizations with uncertainty. IDC offered some basic advice in our webcast. “If you have spent the past 24 months working on GDPR, then you have done some good groundwork; use it as a benchmark. For those where privacy-based compliance is new, these organizations will need to put themselves in a defensible position and make good risk-based business decisions to support their privacy stance.”

You can hear the full discussion in our webcast, Beyond GDPR: America wakes up to privacy