For decades, the United States has been discussing data privacy and its impact on consumers. Laws date back to the 1970s, before computers and the Internet were broadly used. With the explosion of technology advancements over the past fifty years, security and privacy regulations have been brought to the forefront. Half a century ago, who could have imagined the innovations in search engines, big data warehouses, social media, and the proliferation of consumer and business platforms generating and storing personal data?
To address this complex problem, a public-private partnership is needed to ensure governments and businesses work together to protect people’s privacy and maintain their confidence. In fact, privacy protection has become table stakes for any organization that seeks the trust and loyalty of those who interact with their brand. Furthermore, compliance with privacy laws has financial implications; privacy law violations and data breaches can cost organizations millions, if not billions, of dollars in fines and remediation measures.
First Movers in Data Privacy Regulations
In 2016, the EU passed the European General Data Protection Regulation (GDPR), which is the most comprehensive law to date, protecting consumer data rights. Although this is a law in the EU, it affects any online business or website that handles the personal data of EU members. This means EU citizens’ data privacy is protected when conducting business with any EU member state, no matter where the person is physically located.
Brazil joined the trend in 2018 with their own groundbreaking data privacy law, “Lei Geral de Portacao de Dados” (LGPD). The Brazilian law applies to any natural person or legal entity, including the government, that processes the Brazilian people’s personal data, even if the entity is based outside of Brazil.
Shortly after GDPR was signed into law in Europe, U.S. states began to consider ways to protect their citizens’ data privacy and security. California was first to pass legislation in 2018 with The California Consumer Privacy Act (CCPA). CCPA gives consumers the right to control their data, including accessing it, deleting it, and the rights to communicate their preferences to businesses in terms of collection and storage. This law was amended in 2020 through the California Privacy Rights Act (CPRA), which strengthened CCPA and aligned it more with GDPR.
In March 2021, Virginia became the second state to pass a data privacy law, Consumer Data Privacy Act (CDPA). Below is a brief comparison of the three U.S. laws – CCPA, CPRA, and CDPA.
As governments gain a more sophisticated understanding of how to deal with data privacy, consumers are gaining more knowledge about their rights. With growing consumer expectations, businesses that once were concerned about data privacy regulations now recognize that they can help build consumer trust while improving data processing and governance efficiency.
According to a study conducted by Consumer Reports’ Digital Lab, 96% of Americans agree that more should be done to ensure that companies protect the privacy of consumers, 94% felt they have a legal right to know everything that a website knows about them, and 91% are willing to take steps to protect privacy online.
Another motivator for businesses to be proactive about consumer data privacy and the implementation of data protection tools is the cost of data breaches. It is feasible to think that the highest long-term consequence is the loss of consumer trust. Per a 2020 report from KPMG, 97% of survey respondents say data privacy is important to them, with 87% characterizing it as a human right. 91% “say corporations should take the lead in establishing corporate data responsibility.” In addition to the long-term effect of a data breach, businesses are likely to face short-term financial consequences, such as fines and fees, forensic investigations, and security costs.
What’s Next in the US?
In an attempt to move the privacy needle forward, several states have introduced bills that are similar in construct and substance to that of CCPA, CPRA, and CPDA. Others have introduced bills that provide some degree of consumer protection with fewer restrictions on businesses. Deliberations to balance the competing interests of consumers, businesses, and government are taking place in a growing number of statehouses across the country.
On June 8, 2021, the Colorado legislature passed the Colorado Privacy Act (CPA). Once it is signed by the governor, Colorado will become the third state to pass comprehensive consumer data privacy legislation in the U.S.
Nevada also enhanced their current data privacy law in 2021. While less expansive in terms of protections, it shows a general trend towards moving legislation that protects consumer data privacy forward.
While passing legislation on a state-by-state basis is welcomed progress, the best solution would be a comprehensive data privacy law at the federal level. Privacy is a complex topic, so having universal codification of protections and practices at the federal level would provide all companies one set of guidelines to manage against. This notion is supported by many legal, regulatory, and operational experts who are well-published on the notion that federal legislation for data privacy is both overdue and inevitable.
Given the groundswell, the Federal Information Transparency and Personal Data Control Act was introduced in the U.S. Congress in April 2021. Though the future of this bill is not certain at this point, it’s great progress towards a regulation that will streamline the implementation and compliance for companies while protecting the rights of consumers over their data.
You can track the march towards protecting consumer data on the Legislative Tracker of the International Association of Privacy Professionals website.
Ladan Rostami is a senior consultant at RevGen and a OneTrust Certified Privacy Professional.
Joe Humm leads Data Privacy for RevGen’s Analytics and Insights practice. He spent most of 2020 assisting a multi-billion dollar services company prepare for the implications of CCPA. Read about that work here.