With regulations already in place across Europe, and several U.S. states taking the matter into their own hands, lawmakers in Washington, D.C., are working to pass a federal data privacy bill ahead of the 2020 elections. A federal law on data privacy would help the United States catch up with the European Union, where GDPR came into effect in 2018. Some American states have already passed data privacy regulations of their own, and many feel that one measure--the California Consumer Privacy Act (CCPA)--will help shape legislation at the federal level.
California is significant because it’s where many of the tech companies that will be widely affected by new regulations are based, but that’s not where these bills stop. News in this area is something of a moving target, but several U.S. states have CCPA-inspired legislation of their own in the works. Internationally, India, Japan, Brazil and Singapore have GDPR-compliant laws in various stages of implementation.
At a February hearing before the Senate Commerce, Science and Transportation committee, trade groups representing tech companies backed a federal law that would pre-empt or override state laws like CCPA, and the commitee’s chair, Senator Roger Wicker, has said he would like to get legislation passed this year.
“With potentially 50 states enacting individual data privacy laws, one can imagine the burden organizations will endure to comply with them,” said Michael Magrath, director of global regulations and standards at OneSpan. “Overarching federal legislation will help address this concerns and make life easier and more secure for consumers and organizations alike.”
What Does That Mean for Enterprise IT?
“Businesses first need to understand if the regulation applies to them,” said Anupam Sahai, vice president of strategy and business development at cybersecurity firm Cavirin. “If so, they are already subject to the information retention clause.” That could be said for any of the laws currently in place in the United States or around the world, depending on where a business operates--the restrictions don’t apply only to the jurisdiction in which an organization is based.
Organizations must conduct a readiness assessment, incorporate any new businesses processes regarding data stored and monetized by the organization, update web presence to clearly explain the compliance, prioritize employee training, and put in place an enhanced cybersecurity program that includes encryption, risk analysis and timely remediation, Sahai said.
“In fact, all organizations should have a well-defined program, potentially modeled after the [NIST Cybersecurity Framework] already in place,” Sahai said.
Regulations will likely cover not just what types of data can be collected, but also how that data must be protected.
“The days of accessing data protected with a username and password should soon be coming to a close,” Magrath said. “Enterprises must require privileged access personnel to access servers and systems with multifactor authentication, and organizations should support multifactor authentication for consumers to conduct transactions.”
In addition to putting in place procedures to protect the security of data that is collected, firms also have to make decisions about which data they collect and store.
“At the very least, businesses and other organizations should think twice before collecting data that they may not need,” Magrath said. “For example, capturing birthdays from customers to send a nice birthday offer might be something to consider no longer doing.”
That might be unwelcome news for marketers, many of whom have collected data of all types in case it can be used in the future. But moving away from such practices and bringing in opt-out options for clients, customers and even employees sooner rather than later would be prudent, Magrath said: “There needs to be a paradigm shift to prepare.”
Passing a bill requires cooperation between Congress and tech companies on its contents.
That cooperation is not necessarily guaranteed. Tech companies have indicated support for federal legislation that would override California’s strict regulations, for example, but California’s attorney general has said the state’s law shouldn’t be overtaken by weaker federal legislation.
President Donald Trump’s past efforts to work with tech companies haven’t come without their hiccups, as well. The president has accused some tech companies of attempting to “silence” people, and the administration’s immigration policies have hampered some tech recruitment efforts. But the administration has also expressed a willingness to take a global approach on AI and data privacy.
With growing public awareness and concern--along with state and federal governments' and tech companies' increasing realization that multiple privacy laws will be confusing and costly--will we see a federal consumer privacy protection law before the 2020 presidential elections, if not before? Stay tuned.