There are so many variables—and continued large-scale breaches affecting U.S. consumers—that state legislators have been compelled to act. Astute organizations are watching data protection and privacy developments closely. On the one hand, complying with disparate state laws is tricky, but speaking out in favor of stricter regulations is potentially financially and operationally burdensome. A few high-powered CEOs like Tim Cook have spoken publicly in favor of a federal regulation, but it’s worth noting that Apple, unlike Google, Facebook, and the like, does not earn substantial revenue from PII data harvesting. Thus, Cook and like-minded colleagues see support of data protection regulation as an opportunity to further public opinion in the wake of the Cambridge Analytica scandal.
Recognizing the writing on the wall, other tech giants including Amazon, Alphabet (the parent company of Google), Microsoft, Lyft, Uber, and Twitter proffered their support to Congress for a federal privacy law. On the surface this sounds like a big win for consumer data privacy. In reality, this attempt, made in early Q4 2018, was meant to temper individual, stringent state mandates such as the CCPA which will guarantee California consumers the right to learn exactly what personal data is being collected about them, how it’s being used, and for what purposes. In addition, Under the CCPA, consumers must be able to opt out of data sharing/sales to third parties, access and download their stored data, and transfer their PII to a competing service without penalty or backlash. Importantly, certain circumstances allow consumers to demand the deletion of their PII and to sue in the case of a data breach.
Data privacy protection won’t be at the heart of new laws
Placing control over data governance into the hands of the government and consumers is not what enterprises had in mind when they lobbied Congress last September. In truth, enterprises’ aims are to:
- standardize requirements into a softer version which addresses the issue yet continues to allow businesses to collect and use PII most profitably;
- ensure that any law passed is based on realistic technological capabilities (e.g., preventing a law that requires software companies to write backdoors for encryption).
Seizing control at a national level now lessens the probability that too many onerous or self-defeating changes will be imposed later on. The CCPA is an early indicator of things to come, and enterprises want to ensure they don’t have to navigate disparate or irrational data privacy and breach requirements across multiple jurisdictions. One uniform, federal law would preempt states’ mandates, and companies fully understand that the current U.S. administration leans away from strict regulation. Striking while the iron is hot kills two birds with one stone: the creation of a data breach and/or privacy regulation that addresses some of consumers’ concerns and adds accountability for a breach, but one that doesn’t necessitate the large-scale technology and process changes which accompany GDPR and (to a lesser extent) the CCPA.
It’s likely that a GDPR-like cybersecurity regulation is on the horizon for U.S. companies, but don’t expect it to treat data protection and privacy like a fundamental human right. Data handling laws may be stricter in the coming years, but U.S. companies and consumers alike have not shown the desire for the type of rigorous policies instituted in the EU. In anticipation of forthcoming regulation, companies may want to evaluate current data handling processes and embrace the opportunity to shore up any unnecessary data collection, weaknesses in data protection, and over- or misuse of PII that makes a data breach more likely.