The Need for Strong Federal Data Privacy Legislation
Consumers in the United States have finally begun to pay attention to the privacy of their data. The spring of 2018, which saw the Cambridge Analytica scandal break and Mark Zuckerberg testify before the U.S. Congress, seems to have been a tipping point. Data Privacy advocates and ordinary consumers alike compared laws in the U.S. to Europe’s General Data Protection Regulation (GDPR), which also went into force spring 2018, and concluded that Americans needed much stronger protections for the privacy of their personal data.
And they’re right: It’s become increasingly clear that the United States is way behind the curve. GDPR filled the regulatory vacuum in the U.S., becoming the default standard for organizations’ data privacy programs and, in effect, making Europe the primary privacy regulator for many U.S. companies and consumers. While GDPR has helped address previously neglected privacy issues and provides a good framework for privacy compliance efforts, it was optimized for European concerns and in many ways reflects European values. The United States should become a global leader in privacy protection, writing our own legislation while still leveraging the best parts of GDPR.
Individual U.S. states have recently jumped in to try to fill this data privacy leadership void. Our home state of California was one of the first to propose data privacy legislation, which lead to the California Consumer Privacy Act. There are now at least 16 other states proposing or enacting privacy legislation.
We are concerned about where a state-driven focus on privacy will lead. Managing up to 50 different “flavors” of privacy legislation would be a daunting or even futile exercise for companies that do business nationwide, with a disproportionate impact on new or smaller businesses. This regulatory thicket would inevitably negatively impact their customers as well as require companies to funnel energy and resources into compliance instead of what’s most important — their customers’ experience. And the complexity inherent in trying to meet up to 50 disparate and potentially conflicting privacy regulations might actually pull focus away from data security and decrease the likelihood that consumer data will, in fact, be protected.
This is why we support a strong but uniform federal data privacy law that can protect all U.S. consumers, while supporting continued U.S. business innovation and growth. To further this initiative, we’ve been working with and supporting the efforts of BSA | The Software Alliance, an advocacy organization representing the global software industry. BSA advocates for public policies that foster technology innovation and drive growth in the digital economy.
We’re making great progress! Here’s something fantastic that you don’t hear too often coming out of Washington, D.C.: Data privacy is a bipartisan issue. A working group of senators from both sides of the aisle is currently working on draft privacy legislation that could help the United States take a leading role in privacy protection.
In late May 2019, Brad joined his peers on BSA’s board of directors on a journey to Washington, D.C., where they met with members of Congress to discuss data privacy and related topics. Throughout all of the meetings, they heard congressional support for passing strong, comprehensive federal privacy legislation.
And they didn’t travel to Washington unprepared. BSA and its members have been hard at work for well over a year on the BSA Privacy Framework, a recommended set of best practices that can create the foundation for sorely needed privacy legislation. Good privacy legislation may look and feel like a bill of rights that protects the interests of both consumers and businesses — because if either of these stakeholders is harmed then our mission to bring new technologies to market will suffer.
Here are brief summaries of some of the key components from the BSA Privacy Framework. Organizations that hold personal data should proactively comply with these requests from consumers:
- Transparency: What data about me are you collecting, how are you using it, how are you maintaining it, and how do you support my requests to review or delete it?
- Purpose Specification: Tell me why you’re collecting data about me and then use it only for that purpose.
- Informed Choice: Tell me how and why my personal data is being processed, and provide me with the ability to opt out when feasible. For example, I expect an online retailer will process my credit card and shipping address information if I make a credit card purchase and want the product shipped to me. But I should be able to request that the retailer not use my information anywhere beyond this specific order/transaction.
- Data Quality: Put processes in place to ensure that my data is of the highest quality possible, meaning it is accurate, complete, and current.
- Consumer Control: Do you have personal data relating to me and, if so, give me access to a copy of the data and the ability to ask that it be corrected or deleted, within some agreed-on parameters. If the risk to my privacy is minimal but the effort and expense of supporting this control to scale is much greater, then it could seriously impact an organization’s business viability.
- Security: Reasonable security measures must be in place to prevent unauthorized access and use of my personal data. “Reasonable” because one size can’t fit all and needs to account for both the types of personal information processed and how they are processed.
- Facilitating Data Use for Legitimate Business Interests: Don’t ask me to approve every use of data appropriate to ensure you can deliver the products and services I expect. This includes your ability to send relevant marketing communications as long as I haven’t opted out from this type of communication.
- International Interoperability: Enable exchange of my data across geographic boundaries while ensuring it continues to be subject to robust data protection. This clarifies the need to support the U.S. position in the global economy, so whichever privacy framework the U.S. legislates must include tools to bridge requirements with non-U.S. privacy legislation, such as GDPR.
We look forward in future posts to keeping everyone appraised of our continued progress. In the meantime, we would value any comments and feedback that you may have.