In this two-part series, we explore the growing interest among United States (US) citizens and lawmakers in a comprehensive federal data protection law. Part 2 describes the provisions that would be beneficial to include and the actions organizations can take now to prepare. Part 1 examined the market drivers and potential impact of a comprehensive federal data protection law.
The Benefits of a Comprehensive Federal Data Protection Law for the United States, Part 1
Consumers and citizens increasingly value data protection, as a growing number of studies show. For instance, 76 percent of consumers say they won’t buy from a company they can’t trust with their data, and 81percent say the way a company treats their personal data indicates whether it respects them. That’s according to the fourth-annual Cisco Consumer Privacy Survey, which queried 2,600 adults in 12 countries.
It's no surprise, then, that governments are increasingly interested in enacting data protection legislation. In fact, 61 percent of consumers believe laws have a positive impact on protecting privacy, the Cisco survey found.
Six states have comprehensive data protection statutes in place, and another 23 are introducing or have introduced legislation. The result for enterprises is a patchwork of compliance requirements and potential penalties, which a comprehensive U.S. federal law that provides a consistent framework for safeguarding personal data could help address.
What a Federal Data Protection Law Should Cover
What provisions should a comprehensive federal data protection law include? Here are seven key issues that would be beneficial to address in any national-level legislation:
1. Data categories
Federal legislation should make clear what data is subject to the law. In general terms this should include personally identifiable information (PII) such as name, address, and telephone numbers as well as identifying data such as location, IP addresses, and online cookies. More stringent protections for sensitive PII such as race or ethnicity, financial or health records, and political affiliations would be appropriate to include in the legislation as well.
2. Scope and context
The law should also specify the geographic scope and use-case context of the PII. In particular, the provisions should have an extraterritorial scope, similar to the European Union’s General Data Protection Regulation (GDPR), to allow it to apply to the data wherever it’s stored or transmitted. That way, even if the data travels outside the borders of the US, it’s still protected under the US law.
3. Individual empowerment
A fundamental aspect of data protection and privacy is personal agency and control. Consumers and citizens should have say over who collects their data, how it’s collected, what kind of data is collected, what it’s used for, and to whom it is transferred. They should also be notified when their personal data is being collected or used. They should likewise have the right to opt out of certain uses – quickly and easily – unless other laws require that certain data be retained for specific reasons or if there is an overriding justifiable reason for the organization to keep such data. For instance, it could allow individuals to prevent organizations from sharing their data for marketing purposes or demand that their data be deleted, while permitting organizations to retain such data if otherwise required by law.
4. Incorporating a balanced approach
When it comes to data protection laws, some legislation tends to incorporate overly stringent requirements that could seriously inhibit companies’ ability to conduct standard operations. For example, a bill proposed by India’s government was withdrawn in 2022 due to the significant impact it would have had on India’s economy as a result of the burdensome requirements. A U.S. federal law should take a more balanced approach, enabling organizations to collect, retain, and use data in ways that don’t restrain business to an unreasonable degree, so long as it is appropriately protected and used in accordance with the rights of the individual.
5. Data protection best practices
The legislation should define how to protect PII and delineate levels of protection for certain types of data and use cases, while maintaining an appropriate level of flexibility to ensure that industries are able to develop relevant standards within their field. The specific methodologies and technologies required to achieve such safeguards can be left to the regulatory body that enforces the law, advisory boards, and other data protection oversight organizations (“Regulators”).
For instance, the law might dictate that one level of protection is required when moving PII to an economic zone with robust privacy and protection rules, while a higher level is needed for data transferred to a higher-risk jurisdiction. That level of protection might call for data encryption, though the law wouldn’t likely spell it out to that level of specificity, leaving the details for the Regulators.
6. Executive and board engagement
Data protection is both a business issue and a societal concern, so it can no longer be relegated to the IT department. Instead, executive decision-makers and boards of directors need to be involved. The GDPR, for example, requires companies processing personal data to appoint a data protection officer (DPO).
A US law should set corporate accountability standards, ensuring that data privacy and protection receives the attention it deserves. It’s noteworthy that the SEC’s proposed rules on cybersecurity risk management will require boards of public companies and investment firms to review and approve cyber policies and procedures.
Finally, a single overriding agency should be empowered to enforce the law. A likely candidate would be the Federal Trade Commission. The governing body should be responsible for defining regulatory guidelines and for monitoring compliance. What’s important is that individuals and possible state regulators have a single entity they can contact about privacy concerns, and that businesses have a single regulator they can interact with to demonstrate compliance and resolve issues.
Making Data Privacy and Protection Proactive
A proposed federal privacy bill, the American Data Privacy and Protection Act (ADPPA), stalled in 2022 over states’ rights concerns but could be reintroduced to the House floor in 2023. In the meantime, following California’s lead, Colorado, Connecticut, Utah, Virginia, and Iowa are beginning to enforce their privacy laws.
Organizations should take action now to safeguard their data, protect employee and customer privacy, and ensure compliance. Start by assessing the data you collect and generate. Determine where it’s located across datacenters, clouds, networks, and endpoints. Document who has access to it, what they do with it, and how it’s shared. Data security consulting services and data visibility solutions can prove invaluable to this effort.
Visibility into your data enables you to understand its level of sensitivity and its risk of exposure. That knowledge leads directly to the policies, procedures, and technologies you need to protect it – including solutions such as data loss prevention, user activity monitoring, and zero trust network access.
The compliance requirements of a comprehensive federal data protection law are likely to represent cybersecurity best practices anyway. Organizations that prepare to comply will be taking actions that also protect their own sensitive data and reduce their business risk. The time to begin is now.