The United States finally starts to talk about data privacy legislation
Despite the US Commerce Secretary's condemnation of Europe's GDPR in May, there are signs that federal and state governments are starting to take data privacy seriously.
At this point in time, almost every marketer has heard about the General Data Protection Regulation (GDPR), Europe’s sweeping data privacy legislation that went into effect at the end of May. US companies are bound by this law because it governs all European Union (EU) members, no matter where their data is collected. Under GDPR, data privacy breaches carry huge penalties — up to 4 percent of a company’s annual global turnover or €20 million (whichever is greater).
But what is the US doing about data privacy on its own turf? And what do marketers think about those efforts?
The Department of Commerce starts its work
Last week, David J. Redl, an assistant secretary of the US Department of Commerce, spoke to the Internet Governance Forum (IGF) at its IGF-USA 2018 conference about the Trump administration’s plans to work on data privacy issues. His statements about data privacy laws hampering the progress of business echoed comments made in late May by Redl’s boss, US Commerce Secretary Wilbur Ross. Ross wrote an impassioned critique of GDPR in London’s Financial Times just days after the European law went into effect, calling it “likely to create barriers to trade.”
Redl said that “the Trump Administration is a strong advocate for the multistakeholder approach to Internet governance and policy development. Simply put: Bottom-up, consensus-based processes create policies that are trusted throughout the Internet ecosystem.”
But he also nodded to the concerns of business, saying, “… our driving force will be a commitment to meeting [the] challenges [we face] in a way that ensures America’s prosperity and clears the way for innovation. America has seen enormous benefits from this approach, so we must continue to give a green light to innovators to create a more secure, more open and more prosperous Internet.”
Redl said that the National Telecommunications and Information Administration (NTIA), along with representatives of the International Trade Administration (ITA) and the National Institute of Standards and Technology (NIST), recently began holding stakeholder meetings “to identify common ground and formulate core, high-level principles on data privacy.” Redl is administrator of the NTIA, which is an executive branch agency that advises the president on telecommunications and information policy.
He pointed to the Federal Trade Commission (FTC) as a “strong privacy regulator” and cited an NTIA study saying that a majority of households in America have significant concerns about privacy and security risks.
Redl said that the Commerce Department has “convened multistakeholder processes to build consensus and make progress on a number of issues, including cybersecurity vulnerability disclosure, secure updates of IoT devices, and providing more transparency about data collected by mobile apps. Our ultimate objective with these processes is to foster a more resilient ecosystem through the creation of industry-led, market-based cybersecurity solutions.”
“Last week, we launched a new process focused on the transparency of software components — based on the idea that you have to know about any vulnerable components in your connected products if you want to keep them secure,” Redl told the IGF.
He said that the government cannot solve this on its own.
“Leadership must also come from the broader Internet and security community,” Redl said. “We plan to play a coordinating and supporting role, helping to identify priorities and bringing together stakeholders to solve problems.”
Businesses appear to be in the mix. Reuters reported last week that the Commerce Department is meeting with companies like Facebook, Comcast and Alphabet as it works toward eventual legislation. It’s not clear apart from business and other agencies what other stakeholders, such as representatives from consumer advocacy groups, are included in these discussions.
California steps up, other states to follow
Last month, California signed into law the California Consumer Privacy Act (CCPA), a stringent “GDPR-like” data privacy bill — the first of its kind in this country. Because of California’s size and influence, the law is likely to set the standard for states’ data privacy laws moving forward.
A handful of other states have implemented new laws or amended existing ones this summer, but none have passed sweeping, comprehensive legislation like California’s.
For example, Alabama passed its first data breach notification law, which imposes significant penalties on entities that collect PII without authorization. It also expands the definition of PII to include health information and usernames or email addresses in combination with another identifier such as a password or security question/answer.
Vermont, on the other hand, passed legislation that will require data brokers to be transparent with the state attorney general by registering, making annual disclosures of practices and breaches and maintaining an information security program.
One-stop shop vs. state-by-state
One of the main differences between the EU’s present data privacy policies and the US is that GDPR touts a “one-stop shop” approach to data privacy. Under this principle, organizations that have a presence in multiple EU member states only need to deal with one lead supervisory authority. Although the US does have some federal data privacy laws that govern specific verticals like the Health Insurance Portability and Accountability Act (HIPAA), it does not have a single law like GDPR that covers all citizens. Unless a federal data privacy law is passed, each state’s laws will have jurisdiction over its own citizens.
Neil Lustig, chief executive of marketing automation company Sailthru, says that the state-by-state approach can create a sort of “whack-a-mole” patchwork of laws across the United States.
“[The EU] government is more involved and has a more paternal approach to its citizens and their protections …” Lustig told me. “In the US it’s more of a laissez-faire capitalism approach that assumes that the market will ultimately solve these problems.”
Lustig said that Americans want stricter protections:
In this case though, I think this is kind of a miss on the part of the industry because the market didn’t solve this problem. And now — we surveyed our customers post-Cambridge Analytica and our findings were that the majority of Americans want the government to step in and provide explicit data protection regulations.
Travis Ruff, chief information security officer of consumer data platform (CDP) Amperity, said it’s a culture difference.
“There’s no denying there’s an underlying culture difference between the way the US and Europe view privacy,” Ruff said. “In fact, the right to consumer data privacy has been a fundamental part of the European mindset for decades, while it’s been virtually non-existent in the US. GPDR is Europe’s perfectly sensible reaction to years and years of obscure marketing practices.”
In the meantime, we’re starting to hear rumblings of GDPR taking root in Europe with reports of breaches starting to rolling in. And Europe will also see the ePrivacy Regulation, which focuses on electronic transfers, become law sometime in the future.
Here in the US, it appears a sure thing that other states will follow California’s lead and implement new, stricter laws that are closer in line with GDPR. Only time will tell that if, in its efforts to foster prosperity, the US remembers to protect its citizens.