Data breaches and privacy violations are now commonplace. Unfortunately, the consequences for US companies involved can be complicated.
A company’s obligation to a person affected by a data breach depends in part on the laws of the state where the person resides. A person may be entitled to free credit monitoring for a specified period of time or may have the right to be notified of the breach sooner than somebody living in another state.
Companies are also subject to different regulations for protecting personal data depending on where they are headquartered and where they do business in the US. In addition to state laws that differ based on geography, most federal privacy laws are written to regulate specific industry sectors. Overall, the US is falling short in protecting personal data, but does have specific and prescriptive regulations for collecting and handling financial data, health data and children’s data.
Increased frequency and scope of data breaches, along with the patchwork of varying data protection requirements by state underscore why the US Federal Government is considering a sweeping, national data privacy law that will hold more businesses accountable for data protection and security measures. However, many states are not waiting; they are continuing to enhance their own laws in favor of consumers.
Last year, California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law. The state legislation aims to provide consumers with specific rights over their personal data held by companies. These rights are very similar to those rights given to individuals in the European Union through the Global Data Protection Regulation (GDPR), which came into effect on May 25, 2018.
The CCPA was created just days before being signed into law to prevent Californians from voting on a similar ballot measure during last November’s midterm elections, and there have been mixed reactions to how it became a law. However, privacy advocates say it is generally positive and provides flexibility for continual refinement of the requirements in the future.
The CCPA is set to take effect on January 1, 2020. Although the CCPA will be good for consumers, affected companies will have to make a significant effort to implement the requirements. It will add yet another variance in the patchwork of divergent US data protection laws that companies already struggle to reconcile. The CCPA is the first law of its kind in the US and it could set a precedent for other states. And because it applies to most companies who do business with individuals residing in California, the sweeping new law promises to have a major impact on the privacy landscape not only in California, but the entire country.
The passage of a cohesive US federal privacy law, one that will preempt state laws, is gaining momentum. It has strong bipartisan congressional support and several large companies from a variety of industry sectors have come out in favor of it, some even releasing their own proposals. There are draft bills in circulation. With a new class of representatives recently sworn into Congress and the CCPA effectively putting a deadline on the debate, there may finally be a national resolution to the US consumer data privacy problem. However, the likelihood of it passing in 2019 is slim.
A single privacy framework must include flexibility and scalability to accommodate differences in size, complexity, and data needs of companies that will be subject to the law. It will take several months of negotiation among lawmakers to agree upon how the federal law would be implemented. A few considerations:
- Under what circumstances will companies be exempt from certain requirements? For example, compliance costs can be particularly taxing on small companies and industries such as banking. Representatives will push for special exceptions for the key industries and constituents in their home geographies.
- What agency (or agencies) will regulate and enforce the law? Under the current privacy structure, regulation and enforcement largely depend on the industry sector. Medical data privacy law is administered by Health and Human Services, but the Office of Civil Rights (OCR) enforces it. Data breaches are reported to the OCR, and the OCR gets most of the settlement money. The Federal Trade Commission (FTC) enforces the financial data privacy law and children’s data privacy law but may also get involved in a breach of medical data privacy if, for example, a company’s failure to properly protect the data contributed to the breach. And State Attorneys General may also bring charges against violators in their individual states.
- How would implementation, administration and enforcement be funded? The multiple agencies involved today have infrastructure, programs, and most importantly, people on the payroll. Power struggles may ensue among agencies at risk of consolidation, reduced charters and funding cuts.
- How far will the new lawmakers go to protect consumers? Some lawmakers may push for the new law to be robust enough for the European Union to designate the United States as an “adequate” country for importing personal data from EU individuals without additional requirements on US entities? Currently, US entities must take extra steps to be able to receive personal data from EU member countries because our patchwork of data privacy laws are not seen as providing adequate protection.
Not only do states continue to pass their own laws, but congressional representatives also continue to introduce new national laws.
The Social Media Privacy and Consumer Rights Act recently reintroduced by two senators allows consumers to have more control over their personal data used by companies and increases the rights of a consumer affected by a data breach.
The Telephone Robocall Abuse Criminal Enforcement and Deterrence, also recently reintroduced, would give the Federal Communications Commission (FCC) more flexibility in pursuing and prosecuting those abusing robocalls. Under the bill, telecom companies would need to implement technology to more effectively sift out robocalls. The bill’s main objective is to protect consumers against scams, but it would also lower the number of robocalls overall in support of consumers’ rights to be left alone, a key fundamental right of data privacy.
While companies wait for the passage of a national privacy law and then for it to actually take effect, they must continue to monitor developments in both state and federal privacy law and adapt as necessary.