With nearly every U.S. company feeling the effects of regulations like GDPR and the Canadian Anti-Spam Law (CASL), the time is ripe for a similar regulation to go into effect in the U.S.
We’re starting to see this at the state level, where eleven states are considering—and one has passed—comprehensive data privacy acts of their own.
California, ever the trendsetter, passed the California Consumer Privacy Act (CCPA) in 2018; the regulation is set to go into effect January 2020. Since then, other states have introduced similar legislation, including Washington State, where the Washington Privacy Act (SB 5376) is currently under consideration in the state legislature.
Given the nature of eCommerce, the reach of these regulations extends far beyond the borders of the territories that enact them, affecting any company processing the data of a state’s residents. And with California, that reach is significant. As Lydia de la Torre wrote for the International Association of Privacy Professionals (IAPP), “After all, California is the fifth largest economy in the world, the home of many technology titans, and traditionally a trend-setting state for data protection and privacy in the U.S.”
Data privacy at the federal level
U.S. companies and citizens will continue to be governed by a patchwork of state laws unless a federal data privacy law is passed.
Congress has introduced several data privacy bills recently, including the American Data Dissemination Act and the Social Media Privacy Protection and Consumer Rights Act of 2019, which both contain echoes of GDPR. But as for what an overarching U.S. law might look like, that’s still unclear. As Eduardo Ustaran, co-director of the privacy practice at law firm Hogan Lovells, told Fortune, there’s a major philosophical difference between the EU and the U.S. “Privacy and data protection are fundamental rights from the EU perspective but not in the U.S.,” he noted.
There are some clues as to what such a law could look like. In the U.S., data privacy is currently governed by a number of overlapping federal laws, state laws, and industry-specific regulations such as the Health Insurance Portability and Accountability Act (HIPPA), and the Gramm-Leach-Bliley Act (GLBA) governing financial institutions. These carve-outs for specific industries will continue to have precedent in a federal law.
Just as in the EU with GDPR, we expect that fraud prevention and similar exemptions will be carved out as well, given how the interests around these uses of the data are aligned between the actual data subjects and the information controller and processor entity.
Lastly, in the U.S., laws will also likely only target businesses with commercial activity at a certain scale so that small businesses do not have an onerous burden of complying with the law, which could stifle small business growth. For example, Washington State’s proposed law doesn’t apply to companies doing business with fewer than 100,000 Washington residents.
Challenges for companies
Until there is a comprehensive federal law in the U.S., we’ll continue to see companies struggle to become compliant with myriad patchwork regulations. That will become even more difficult as more states pass their own regulations—the current and proposed state regulations may be working toward the same goal, but they don’t exactly match up in terms of specific requirements.
One way to ease this challenge is for regulators to build ample lead time into their compliance deadlines. Many companies don’t have the engineering systems in place to fulfill these provisions from the laws being passed, which means states will need to build in a couple years’ lead time so that businesses can update their processes to handle the data and be in compliance once the deadline hits.
But even without a compliance deadline to spur actions, companies need to be thinking strategically about how they use data.
Overall, we expect GDPR’s theme of “more transparency for the user on how their data is being used and by whom” to gain momentum not just in the U.S., but across the globe. Within the U.S., from the state to the federal level, the data entities covered will resemble GDPR law by covering mostly PII data. Fundamental rights around transparency and choice, being informed, and being “forgotten” will be the underpinnings of this law.
Forward-thinking companies will need to examine how they’re storing data, where they’re storing it, and how they’re using it. They also need to be vetting their data vendors to ensure they’re working with vendors who take privacy and data security seriously.
At Ekata, we’re excited to see how companies and regulators work together to create a better, more secure experience for consumers. Learn more about Ekata’s suite of compliant data validation tools or contact us for a demonstration today.