The use (and misuse) of user data has only been thrust further into the spotlight, not only with new laws taking effect in many countries but also thanks to a slew of high-profile scandals, such as Cambridge Analytica. With the ongoing consequences of data breaches, people are demanding more transparency around how their data is used.
That’s as true of the US as it is of any other country. And, on the back of public pressure, several states have implemented (or are in the process of implementing) regulations which share broadly the same goals as the European Union’s General Data Protection Regulation (GDPR).
As these laws, and the wider data transparency movement, gather momentum, there’s increased speculation around how far out the US is from adopting its own GDPR-style legislation at a federal level.
Companies need to start asking themselves how ready they are for the laws in place and how ready they’ll be for any federal laws that may be instituted around data privacy.
The impact of CCPA
While GDPR grabbed all the international headlines, the first US regulations aimed at data transparency were actually signed into law at around the same time.
The California Consumer Protection Act (CCPA) provides several important rights to residents of the state, allowing them to know what personal data is being collected about them, access it, request its deletion, and opt out of having their personal data collected.
All for-profit companies that do business in California (within certain thresholds) are required to comply with the law, which comes into effect on 1 January 2020.
While the CCPA does differ from GDPR in several important respects (most significantly, it works on an opt-out basis, rather than the GDPR’s explicit opt-in requirement), it was still a significant step forward in the evolution of privacy laws in the US.
The depth of its impact becomes especially apparent when you consider that close to a dozen other states have either drafted or passed copycat legislation in the months since CCPA was passed.
While some are less restrictive and others more stringent than CCPA, all model themselves on it to some degree.
With these kinds of advances at the state level, there are increasingly loud calls for data privacy laws to be implemented at a federal level.
These calls have come from independent commentators, as well as major industry players. Their logic is compelling too. Not only would a federal law be easier to comply with than a patchwork of state laws, the greater resources available at a federal level would also make it easier to enforce.
Another advantage of a federal data privacy law is that it would allow data from the EU and EEA (European Economic Area) to be transferred to the United States without the need for any additional safeguards or agreements, as long as the EU sees the legislation as providing an adequate level of data protection.
However, compelling the case for federal data protection legislation might seem, it’s unlikely that it will come to pass any time soon.
First off, any proposed federal law that comes before Congress may prove too weak for some states (Californian representatives have already argued that their law is the best and should not be subsumed) and too stringent for others.
The fact that there are already several competing federal data protection bills may also hamper the chances of any one of them passing successfully in the near future.
That does not, however, mean that organizations should proceed with the assumption that legislation won’t be passed.
Instead, they should act preemptively, readying themselves for any laws which do pass. If an organization is already GDPR compliant, for example, it should be well on its way to regulatory compliance, no matter which states it operates in.
Being ready early won’t just spare an organization the inevitable last-minute rush once legislation does pass, it also comes with a host of business benefits, including improved data management, increased trust, and improved customer loyalty.