Security news that informs and inspires

The Hunt For a Federal Data Privacy Law

By

With consumer data being collected, stored, shared - and in some cases, misused - at scale by organizations, lawmakers have called for regulatory efforts aimed at protecting data privacy over the years. However, the U.S. still lacks an all-encompassing federal data privacy law.

Data privacy is being tackled at the state level, as well as in the courts - most recently, with four attorneys general claiming that Google had continued to track the data of users that had changed their settings to block data collection. A single federal law, however, would act as a comprehensive measure to protect consumers’ private data from being misused, even in states without regulations, said privacy stalwarts during a Friday session on data privacy laws hosted by the MITRE Corporation.

“People are becoming more privacy literate, and they have more expectations about privacy, but there is no single uniform national privacy law,” said Dena Kozanas, associate general counsel and chief privacy official with the MITRE Corporation. “This Congress has made advances in passing a comprehensive privacy law, but more needs to happen, and it needs to happen sooner rather than later.”

“America desperately needs a national privacy law."

Several federal bills have been proposed over the years addressing data privacy, including one introduced as recently as July called The Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act. The act, introduced by Sen. Roger Wicker (R-Miss.), would mandate that companies disclose comprehensive privacy policies, allow consumers to access or delete their data, and give the Federal Trade Commission (FTC) teeth to hold businesses accountable for following these rules. This bill joins previous efforts like the Information Transparency and Personal Data Control Act introduced in March by Rep. Suzan DelBene (D-Wash).

With a lack of privacy laws at the federal level, a number of states have passed their own regulatory efforts, spearheaded by the California Consumer Privacy Act, passed in 2018, which gave residents certain rights around how their personal data can be stored, accessed, sold and deleted. Since then, Virginia passed a privacy law in March of last year that requires businesses to give consumers the ability to access, correct and delete personal data that has been collected about them, while Colorado passed its own law in July that mandated that companies create detailed privacy policies and allow consumers to access or delete their data, as well as opt out of certain usages for their data.

However, these rules only apply at the state level, meaning that no privacy regulations exist for an organization that operates outside of a state with such laws. They also create a web of compliance laws for companies that operate across different state lines.

“America desperately needs a national privacy law,” said Jordan Crenshaw, vice president at the U.S. Chamber of Commerce's Technology Engagement Center. “We’re witnessing an emerging patchwork of state laws that will make it difficult for companies to comply across state lines, and confusing for companies and consumers to know what privacy rights consumers have across state lines.”

“You need to give companies lead time to get themselves together, so that it’s a collaborative versus combative compliance.”

Though security experts agree that a federal privacy law would go a long way in protecting consumer data, developing and implementing such a law comes with various levels of complexity. Privacy experts said that lawmakers must grapple with an array of questions, including who should enforce the mandates, what kind of penalties should exist for companies that don’t comply with the rules or how to create regulations without stifling innovation.

The question of enforcement alone comes with various possibilities. Laws can be enforced by giving a government agency, like the FTC, the authority to inflict penalties on companies that don’t comply; or allowing state attorneys general to go to court and enforce privacy laws; two enforcement options that were part of Sen. DelBene’s Information Transparency and Personal Data Control Act proposed bill. Another option would be private right of action, which puts the power in the hands of the consumers themselves by allowing private citizens to bring the issue to courts in order to enforce their rights. Crenshaw warned that one issue with this latter option is that it can lead to different interpretations of the law.

Then comes the challenge of actually implementing such a law. The General Data Protection Regulation (GDPR) rules, which apply to the EU and went into effect in 2018, took two years to implement and posed “the biggest compliance nightmare that Europe has ever experienced,” said Alberto di Felice, director for infrastructure, privacy and security policy at DIGITALEUROPE, though he stressed that the flexibility of GDPR’s framework makes it “as close as you could get to a perfect law,” at least on paper. For organizations, GDPR compliance came with a broad range of tasks, including upgrading their data security requirements, creating inventories of data and more.

"The challenge has been on the regulators as much as it has been on the industry,” he said.

The good news is that there are a lot of areas of agreement from both sides of Capitol Hill, particularly on issues like consent, security requirements and a degree of data sharing opt-out allowance, said Crenshaw.

“You need robust consumer protection, you need substantial rights like reasonable security, the ability to opt out of data sharing… the right to delete data, and the right to correct data,” said Crenshaw. “You need to give companies lead time to get themselves together, so that it’s a collaborative versus combative compliance.”

“What is certain is that the trajectory is moving away from self regulation and more toward industry regulation."

Despite these challenges, a federal privacy law could imminent be due to the level of concern that consumers are feeling about the privacy of their data, particularly after data privacy incidents like the Facebook Cambridge Analytica data scandal. In addition, continued innovations in technology - like Internet of Things (IoT) devices or biometrics - that rely on data make regulatory efforts even more relevant.

“What is certain is that the trajectory is moving away from self regulation and more toward industry regulation,” said Kozanas.

Privacy experts are optimistic that data privacy state laws will act as models for any potential future federal law. Crenshaw also stressed, under the doctrine of preemption, a privacy federal law would preempt these state laws.

“It is possible to get the law done, and it is also possible to protect consumers in a meaningful way while also promoting innovation,” said Crenshaw. “We shouldn’t let issues - such as who gets to enforce what, or the patchwork of state laws - get in the way.”