US Privacy Legislation: What’s Coming and What Should Companies Do To Prepare?

On 13 February, US Senator and former Democratic Party Presidential candidate, Kristen Gillibrand introduced legislation (the Data Protection Act) that would establish a US Data Protection Agency (DPA) for the first time. The bill would create a DPA responsible for enforcing privacy rules, launching investigations and sharing findings based on consumer complaints, and be tasked with fostering digital innovation in the US.

alexisserthumb

Alexis Serfaty
Policy Director, Asia & US
Alexis.serfaty@accesspartnership.com

On 13 February, US Senator and former Democratic Party Presidential candidate, Kristen Gillibrand introduced legislation (the Data Protection Act) that would establish a US Data Protection Agency (DPA) for the first time. The bill would create a DPA responsible for enforcing privacy rules, launching investigations and sharing findings based on consumer complaints, and be tasked with fostering digital innovation in the US.

Senator Gillibrand’s bill is the latest regulatory initiative on consumer data. Momentum has been steadily building in the US over the last two years and increasingly in the last several months around the need for comprehensive, uniform, federal data privacy legislation. Amidst this backdrop, what does 2020 (a general election year) foreshadow and what should companies do to prepare?

According to Senator Gillibrand, “the United States is vastly behind other countries…your data is extremely valuable to many companies with unknown motives, who are looking to exploit your data for profit.” This attitude is shared by many of her colleagues on both sides of the aisle in the Senate, as well as in the US House of Representatives. In response, Senators and Representatives of both parties have introduced nearly a dozen proposals for national privacy, embodying very different approaches. To be sure, a veritable “tech lash” permeates, with consumers driven by resentment and fear. But while Americans say they remain “concerned” about privacy and welcome enhanced protections and transparency in theory, they continue to share the most intimate details of their personal lives across a multitude of public domains and platforms.

The reluctance of Americans to sacrifice digital convenience and innovation for more privacy should not dissuade lawmakers and industry alike from making hard choices and working to enact comprehensive but thoughtful legislation aimed at safeguarding consumer information and ensuring transparent corporate policies, all while fostering innovation. It is likely that consumers will increasingly migrate towards companies that embrace data privacy and care while shunning those that do not.

While Congress weighs conflicting proposals, the current regulatory landscape in the US remains a mix of regulation on access to or use of personal data. Without a federal law in place, states are proceeding with their own regulations governing data privacy, that could impose sizable compliance costs on businesses and consumers. Several states have passed various data privacy bills at the state and local level, most notably and with most consequence, the California Consumer Privacy Act (CCPA), in effect since January 2020.

The bigger picture though is that regulations like the GDPR and CCPA are leading the way for other parts of the world to follow suit. They are the beginning of a regulatory privacy wave, evidenced by the dozens of countries that have since introduced new privacy laws and/or tightened existing rules – many clearly modelled on these early efforts – with more to follow suit in the coming months. At least nine US states have proposed legislation similar to the CCPA – including Connecticut, Hawaii, Massachusetts, Mississippi, New Jersey, New Mexico, Rhode Island, Texas – and several more with pending proposals. Worse still, most organisations in the US were not sufficiently prepared for the CCPA and the majority remain so despite the inevitability of future consumer privacy law and regulation. A survey of 200 privacy professionals in September 2019, revealed that only two per cent were comfortable in saying that they were fully prepared.

There is good news though. Companies that take a proactive and protective approach to privacy may find their policies to be a source of competitive advantage. Regulations provide an opportunity for organisations to invest in cleaning up their data stores, improving efficiency and reducing risk in the process. Those that can innovate new ways to personalise customer relationships without violating laws will get ahead of their competitors. In the interim, companies must turn their attention toward state capitals as much as Capitol Hill in an effort to shape data privacy laws to ensure consumer protections are fair and transparent.

With investigations and fines expected to rise in 2020, as well as new regulation due to enter into force, data protection is going to be a fundamental element of doing business in the years ahead. The risk is that after having “survived” the GDPR and CCPA, organisations may relax their efforts both from an operational as well as organisational culture perspective. But more privacy laws are coming, and the public’s awareness of privacy issues will only grow. The GDPR has the merit of having raised awareness across the world, but new regulations following in its wake will only serve to fragment the landscape further. Companies must, therefore, invest the resources to fully understanding their data practices, the types of personal information they collect and maintain, and whether the personal information is sufficiently protected.

Related Articles

Can Asia artificially think?

Can Asia artificially think?

What ChatGPT really tells us about the future economy.  News of ChatGPT’s capabilities has captured the public imagination. Our algorithmically...

7 Feb 2023 Opinion
Access Alert | Safer Internet Day 2023 – Recent Policy Developments in Content Moderation

Access Alert | Safer Internet Day 2023 – Recent Policy Developments in Content Moderation

In celebration of the 20th edition of Safer Internet Day on 7 February 2023, the Fair Tech Institute has reviewed...

6 Feb 2023 Opinion
Tech Policy Trends 2023 | Infrastructure and supply chain security in the EU

Tech Policy Trends 2023 | Infrastructure and supply chain security in the EU

Since Ursula von der Leyen introduced the idea of leading a ‘Geopolitical Commission’ in 2019, the EU has placed security...

6 Feb 2023 Opinion
Access Alert | Canada’s Public Consultation on a Modern Regulatory Framework for Space

Access Alert | Canada’s Public Consultation on a Modern Regulatory Framework for Space

The Canadian Space Agency (CSA) has launched a public consultation on various aspects of the Canadian national space regulatory framework....

1 Feb 2023 Opinion