Recent large scale data breaches and discussions around the potential misuse of consumer information have prompted legislators, advocacy groups, and business leaders to call for broad federal privacy legislation. Though politicians from both sides of the aisle have expressed desire to introduce enforceable federal privacy legislation, there is disagreement as to the specifics, such as whether the law would pre-empt state regulations, and how to handle entities covered under HIPAA.
In September, 51 CEOs sent an open letter to Congress asking for passage of federal privacy legislation. The CEOs included those from Amazon, Dell, JP Morgan Chase, Salesforce, and IBM. They argue a comprehensive privacy law would provide clarity and improve the ease of business as opposed to the current discrepancy among the various state privacy laws.
50 states now have privacy legislation on the books, none of which are consistent. This patchwork of laws can be difficult to harmonize. As each new regulation goes into effect, compliance costs continue to rise, particularly for those smaller companies (if they aren’t exempt under certain provision). The California Consumer Privacy Act (“CCPA”) rolls out in 2020, and is currently the strictest privacy law in the nation. New York recently passed the SHIELD Act, imposing more expansive data security and data breach notification requirements on companies.
The Internet Association recently launched “Privacy For All Americans”, a campaign urging Congress to pass federal privacy legislation. “Passing comprehensive, federal privacy legislation in the 116th Congress is a top priority for the internet industry,” said IA President and CEO Michael Beckerman. He argues it’s important for Americans to have “clear and consistent privacy protections regardless of where they live or the type of company they interact with.”
Privacy advocates, however, are approaching this effort with some trepidation. They worry federal privacy legislation would erode current consumer protections. Many states want to keep their own laws on the books, and are opposed to pre-emption efforts.
Data privacy is on everyone’s radar, so it’s not surprising politicians, consumers, and companies are seriously discussing a comprehensive federal data privacy law. However, according to sources, federal privacy legislation is not likely to come before Congress this year. Although there is support for some sort of federal oversight, many disagree on how that should look. One issue is whether individuals would have the right to directly sue companies that violate the federal privacy legislation. Privacy advocates generally support the idea of a private right of action, but others do not. Another issue is whether the FTC should have more authority to create rules related to privacy and the extent of their enforcement ability. For Congress, the challenge will be creating federal privacy legislation which balances privacy concerns and business interests.
So, what does that mean for companies?
Companies should be prepared to comply with the CCPA and other state regulations that passed this year. If federal privacy legislation is eventually passed, it’s likely many requirements and obligations found in state laws will be included. Complying with the relevant state laws now will put you in a better position from both a regulatory standpoint and a cybersecurity posture standpoint.
For many companies, the ongoing regulatory changes should be a wakeup call, particularly given the potential financial and reputational consequences. Continuing to prioritize cybersecurity efforts is paramount.