It’s time for a national privacy law in the US
Consumer data privacy is no longer a necessary evil but a competitive differentiator for any company participating in the global economy. The EU’s GDPR represents the world’s most comprehensive regulation for privacy best practices, holding companies to stringent standards for data collection, storage and use.
US national privacy law
Many countries have followed suit in recent years by adopting similarly aggressive privacy laws that reflect a greater dedication to data protection.
In stark contrast, the US remains one of the few major players in the global economy without national privacy legislation. Some states have enacted privacy laws, and the federal government has enacted industry-specific laws — HIPAA, Gramm-Leach-Bliley Act and FCRA — but there is no single, homogeneous enforceable set of data privacy guidelines that all US companies are required to follow.
Having uniform, federal requirements for data privacy has multiple advantages. First, it will allow an effective way to enforce these regulations, prompting data collectors to take these regulations more seriously. Second, it will enable technology providers to design solutions that specifically aid in protecting sensitive consumer data. Data collectors (i.e., companies that have their customers’ data) want to comply with regulations but are overwhelmed with the variation in requirements by state.
The status quo is putting American consumers at risk and businesses at a distinct disadvantage both at home and globally, due to the reluctance of consumers to do business with them. A national privacy mandate could help US businesses reap the benefits that more stringent privacy practices can provide.
In the absence of a national policy, some states are taking matters into their own hands and enacting their own privacy laws. Only three states — California, Nevada and Maine — currently have data privacy laws. In November 2020, California voters approved the California Privacy Rights Act (CPRA), which will further strengthen that state’s existing privacy law (CCPA) when it goes into effect in 2023.
While state efforts should be commended, individual laws can’t make up for a consistent policy based on which all organizations must operate. Even if all 50 states passed individual privacy laws, companies would still have to navigate a very difficult course to maintain compliance.
For example, a company operating in 10 states would have to dedicate resources to understand not only the differences in the laws for each but also how the laws may intersect with one another.
Implementing guidelines and technologies to store and share data based on disparate regulations is expensive and time-consuming. Moreover, privacy regulations such as the GDPR and the CPRA are expansive in scope: they can be enforced on organizations that do business with (EU and California) residents even if they do not have a physical presence in that union/state.
As more countries slowly but steadily evolve the way they address data privacy, America seems like an outlier in the global economy. In 2020, countries like Brazil and South Africa introduced GDPR-inspired national legislation, while India awaits approval of a similarly comprehensive privacy law. Many other countries amended existing laws to address modern privacy concerns (e.g., New Zealand, which repealed and replaced its 1993 Privacy Act).
With the emergence of stronger privacy laws abroad, the absence of national data privacy regulation in the US is making it harder for US companies to compete for global partners. For example, in November, the European Commission, the EU’s executive body, announced guidelines that would drastically restrict the number of countries with which EU businesses could store data, and the US is noticeably absent from the list. This exclusion offers a clear indication that America’s deficiency in this area is making global business ventures more difficult, if not impossible, in many instances.
Benefit 1: Consumers win. Instituting a US national privacy law offers a clear benefit to consumers. Striving to protect the data that consumers share is just the right thing to do, especially when you consider the immeasurable insight organizations gain from that data. Companies in the financial services, healthcare and retail sectors are fighting the hardest for a comprehensive consumer privacy law as their business efficiencies are becoming heavily dependent on collecting consumer data that is often shared with third parties, risking the prospect of a data breach.
Benefit 2: Less confusion. With all organizations working off the same page, it becomes easier for companies to understand privacy expectations in each state in which they operate. It would also eliminate the resources necessary to understand each state’s guidelines and create a blueprint to ensure compliance.
Benefit 3: Trust equity. By implementing a national privacy standard that is similar to other global legislation, US companies would collectively protect data more responsibly and effectively than it does currently. This, in turn, would build greater trust not only with consumers here in the US, but also with potential partners, which would strengthen America’s reputation globally, as it relates to data privacy.
Benefit 4: Expanded opportunities. Given the growing importance of data privacy as a key business expectation, having a strong national legislation will expand the number of opportunities with businesses in countries where data privacy is already mandated and become a competitive differentiator against other players in their space.
Once the US introduces a national privacy law, incorporating the right privacy-preserving technologies will be critical to maintaining compliance. It starts with tools that allow organizations to identify what is categorized as sensitive information and then highlight gaps in protection, allowing them to take the appropriate corrective measures.
One of the key elements of the GDPR — which would likely be part of a comprehensive US privacy law — is the requirement that data protection for applications and databases is implemented “by design and by default” (Article 25), and there are two important components necessary to adhere to such a requirement.
The first component is data transformation, which replaces the original data with values that are not identifiable anymore. There are various types of data transformation:
- Tokenization, also known as Format Preserving Encryption (FPE): Replacing sensitive data with “decoy” data that looks authentic. For example, replacing a Social Security number (SSN) with a “fake” SSN in case data is exposed or stolen. Only authorized users have the ability to restore the real data with the encryption key.
- Anonymization: Permanently altering personal data in such a way that it is untraceable to an identifiable person. It is like tokenization, but irreversible.
- Masking: Replacing sensitive data with “dummy” data values such as a single word like CONFIDENTIAL or PROTECTED, making it impossible to view the original data.
- Encryption with a well-known and proven algorithm like AES: Sensitive data is mathematically altered using a cryptographically generated “key,” rendering it unusable with all the compute capacity available in the world.
Recent technological advances have ushered in the field of Privacy Enhanced Computation (PEC), where it is possible to process encrypted data. Organizations can use techniques such as:
- Homomorphic encryption: With this method, all users are able to apply functions to encrypted data without decrypting it
- Multi-party computation: Lets multiple contributors work on data simultaneously without letting sensitive data and encryption keys be co-resident.
Data transformation is not effective without a second component: access control. Enterprises must adopt security practices that minimize or eliminate access to sensitive data and encryption keys by database administrators. Solutions that offer different types of data transformation based on how that data is to be utilized downstream while maintaining its utility with PEC techniques provide the most comprehensive answer to this never-ending stream of data breaches from a technology perspective.
While there’s currently no discernible timeline for a national privacy law in the US, the wheels are in motion for such a regulation to happen sooner rather than later. The fact is that US companies have too much to lose without one and so much to gain with one.
Regardless of when, forward-thinking companies should begin the process of protecting data by utilizing new technology approaches that allow them to collect, store and process data in a manner that would comply with the most stringent privacy regulations.