It remains to be seen whether the United States will adopt a sweeping national data privacy law similar in scope to the European Union’s General Data Protection Regulation (GDPR). Consumer advocate groups, private enterprises, and state legislators here have called for clarity around the issue.
Support for a National Data Privacy Law
Supporters argue that a U.S. national data privacy law like the GDPR is necessary to protect citizens. In 2020, two CEOs of the leading tech firms came forward in support of that interest.
Keith Block, co-CEO of Salesforce, said “There is no question there needs to be some sort of regulation in the United States. It would be terrific if we had a national data privacy law; instead we have privacy by zip-code, which is not a good outcome.”
PayPal CEO Daniel Schulman agreed, saying the our “acceptance” of privacy policies that are too long and complicated for average website visitors to truly understand.
The inconsistent patchwork of laws across the United States means companies must continuously monitor very different state data privacy requirements and conduct risk/benefit analysis in deciding whether any attempt at compliance is worth the effort to comply. Some states have set persuasive guidelines that others tend to follow, much like the European Union has for businesses that deal abroad.
History of Privacy Laws of the United States
There is currently no single overarching federal privacy law in the United States. Laws which address data privacy include the U.S. Privacy Act of 1974, HIPAA, the Financial Modernization Act of 1999, and the Children’s Online Privacy and Protection Act – but these laws are limited in scope and do not uniformly protect citizens from the buying, selling, and leaking of personally-identifying information.
Some proposed U.S. data privacy laws call for:
- Greater access to one’s own personal information that has been collected or shared
- The right to correct erroneous data
- The right to request deletion of personal data
- The right to restrict a business’s ability to process that data
- The ability to opt-out of the sale of personal information to third parties
- The right to seek civil damages when privacy interests are violated
Both Democrats and Republicans have expressed interest in creating a federal law designed to protect citizens uniformly, but talks are ongoing and no law has been passed. Better legal guidance can help businesses guard the public privacy interest by clearly laying out rules for how to provide notice of security breaches, when to conduct formal risk assessments, and how to minimize their risk.
California Consumer Privacy Act
State legislatures are filling the gaps as best they can. Effective January 2020, the California Consumer Privacy Act (CCPA) became the first legislation of its kind. It gives consumers in the state the right to access, delete, and opt-out of the sale of their personal data. Protected personal information includes biometrics, browsing history, email, employment, geolocation, and any “probabilistic information” that gives a 50% or greater chance of identifying someone. Businesses are called upon to “implement and maintain reasonable security procedures,” with violations costing $750 per consumer in data breach lawsuits. It was a hard-fought piece of legislation, undergoing 18 months of scrutiny, appeals, and amendments from the time it was enacted to the time it went into effect.
Nevertheless, other state “CCPA copycat” laws have followed in the footsteps of California with the passage of SB 418 in Hawaii, SB 613 in Maryland, S-120 in Massachusetts, S-5642 in New York, and HB 1485 in North Dakota.
Important Considerations for Federal U.S. Privacy Laws
As the National Law Review points out, public enforcement through the FTC or other regulating body on the government’s payroll is not feasible on such a grandiose scale. Private class actions filed through law firms will also play an active role in keeping tabs on data breaches and holding companies accountable.