Hammer on US flag

CPOs Prepare as Congress, the CFPB, and the FTC Hone in on Privacy

In recent years, individual US states have responded to calls from their residents to address the growing issue of data privacy. So far, California, Connecticut, Colorado, Utah, and Virginia have adopted laws to regulate the handling of sensitive personal data and protect the data privacy of their residents. And most recently, the nationwide push to strengthen data privacy protections is driving the United States federal government to implement and consider new laws and regulations.

In this article, I’ll review the recent data privacy developments across various parts of the federal government, and look at how CPOs and other data privacy professionals are preparing to comply with these potential new rules – even as they also work to ensure compliance with various international and state-level data privacy laws.

Data privacy gains momentum

The issue of data privacy became a significant concern for global companies with the passage of the EU’s GDPR in 2018. Anyone who didn’t initially take notice when GDPR went into effect had a wake-up call when eye-popping fines for GDPR violations were issued to technology companies like Amazon ($823 million), WhatsApp ($247 million), and Facebook ($66 million). And technology companies weren’t the only ones fined – GDPR also imposed fines on Swedish retailer H&M ($39 million) and Italian telecom TIM ($30 million).  For businesses and consumers alike, GDPR has established a very high standard – some might call it a “gold standard” – for data privacy laws and regulations.

In recent years, data privacy has become a much bigger concern for US residents, as one well-known company after another reported breaches of sensitive customer data like names, birth dates, and social security numbers. In fact, a recent consumer survey by Cisco Systems showed that 86% of consumers want more control and transparency over the handling of sensitive customer data and that 79% would choose not to purchase products and services from companies with questionable privacy protections.

A growing sense of frustration among US consumers has led to the passage of data privacy laws in several states, with similar laws under consideration in many states that currently lack data privacy protections. Of course, this patchwork of laws that vary from state to state hasn’t made life easy for privacy and compliance professionals at companies that operate across state lines. Action from the federal government to supersede state-level regulations with federal regulations would be welcomed by many CPOs and other privacy and compliance professionals, and by many consumers.

A closer look at the privacy push

To provide a more consistent data privacy landscape for companies and consumers, various parts of the federal government – Congress, the CFPB, and the FTC – are increasing their focus on data privacy. Beyond addressing variations between state-level privacy laws and the lack of data privacy regulations in states without a comprehensive data privacy law, the new federal privacy push also aims to improve the adequacy of the US.

Adequacy improvements would help the EU and other jurisdictions to feel more comfortable having their residents’ data shared and stored in US datacenters, and would address complaints like those that drove the recent EU Schrems II judgment.  Such improvements would help US companies, especially technology companies, to better compete globally, and would also reduce the likelihood of future fines or other sanctions.

Although the US doesn’t currently have a comprehensive nationwide data privacy law, the following developments make the passage of such a law in the near future look more likely than ever before:

  • FTC active in several areas. In 2021, the FTC updated the Safeguards Rule component of the Gramm-Leach-Bliley Act (GLBA) to include “finders” (companies that match consumers with financial products), strengthen encryption requirements for sensitive data, and require annual risk assessments. They also issued a policy statement that the HIPAA Breach Notification Rule was extended to apps and medical devices that handle PHI, even when the companies creating those apps and medical devices aren’t otherwise covered under HIPAA. Finally, the FTC recently began what is likely to be a long-term process of defining new data privacy and security rules under their Section 18 Mag Moss Rulemaking authority. Depending on the outcome of this time-consuming process, it could result in the FTC eventually becoming the nationwide data privacy regulator.
  • CFPB takes a closer look at payment platforms. The CFPB recently announced an inquiry into payment platforms, part of an effort by federal agencies to better understand any data privacy risks that might exist in current payment services. The inquiry, initiated in 2021, is aimed at large tech companies like Facebook and Amazon as well as large banks that might benefit from financial data collection.
  • Congress debates the ADPPA. The draft American Data Privacy and Protection Act (ADPPA) is a landmark data privacy bill currently under review by the US Congress. If ADPPA becomes law, it will have a significant impact on businesses that operate in the US. ADPPA is similar in many of its provisions to the EU’s GDPR, and while the passage of this bill anytime soon looks uncertain, it is likely that something similar to ADPPA will become law nationwide in the near future.

Across these various agencies and efforts, the shape of future data privacy regulation is gradually becoming more clear:

  • The ADPPA, or a similar bill, is likely to become law in the next few tears, and companies who haven’t prepared to protect, manage, and use sensitive data according to the most stringent data protection and minimization principles will find compliance to be costly and disruptive
  • Even if the US Congress doesn’t pass ADPPA or a similar law, other federal agencies will continue to emphasize enforcement and clarify rules around the handling of sensitive data, ratcheting up the stakes for companies that don’t treat sensitive customer data with extra care

So, given all of this, how can CPOs prepare their companies for success?

How CPOs are preparing

As a CPO who has worked in the privacy space at a variety of technology companies for over a decade, I’ve learned a few things about which approaches are most effective when it comes to data privacy. My high-level takeaway is: if you believe, as I do, that laws similar to the EU’s GDPR are coming soon to nearly every global market, the best way to prepare is to plan for that future, today.

Here’s my list of actionable steps to help your organization become more proactive about protecting sensitive data, so that you’re ready for any data privacy rules or laws that the US federal government – or other regulators – might create:

  • Use a privacy by design and privacy by default approach: When building new products and services, CPOs and compliance professionals must work with product and engineering teams to ensure that they use a privacy by design approach: privacy is built into the design, not added as an afterthought. CPOs should also ensure that default settings in their products and services are privacy-preserving, allowing customers to explicitly opt-in to any features that might reduce their privacy. This approach is required by GDPR, and it’s also the secret sauce of companies that consistently avoid data breaches and other high-profile data privacy missteps.
  • Follow data minimization principles: At the most basic level, you should ensure that you actually need a given type of sensitive customer data before collecting it. Then, you should conduct a sensitive data inventory to assess what types of sensitive data you collect. After completing your data inventory, revisit why you’re collecting this data, where it’s being stored (by database and country), who has access to it, and how long the data will be retained. If you’re collecting data you don’t need or retaining it indefinitely, then implement data minimization controls to fix these issues. You can implement data minimization controls using privacy-enhancing techniques like masking, tokenization, polymorphic encryption, and de-identification.
  • Strengthen and periodically review security safeguards:  You can’t have data privacy without security, so keeping your encryption, authentication, and other controls up-to-date is critical to protect the sensitive data entrusted to you by your customers, keeping it safe from theft or unauthorized use.
  • Implement effective data governance: Implementing data governance starts with a data mapping and inventory to identify what types of sensitive customer data you collect, categorize the individual datasets, understand where this data is stored, who it’s shared with, and why. Finally, classify this data as PII, PHI, or other sensitive data types. And don’t forget to include data handled by your vendors. Then, having assessed the status of your organization’s sensitive data, it’s time to implement account-based and role-based access controls so you can ensure that sensitive data is only accessed for authorized workflows on a need-to-know basis.
  • Prepare for data subject requests: Data subject requests were introduced by GDPR but are present in other laws like CCPA. Such requests generally fall into two categories: data subject access requests (DSARs) that let consumers or other entities request a copy of data about themselves, and right to be forgotten requests (RTBFs) that let consumers or other entities request discovery and deletion of all data about themselves. My guideline here? If you need to support this process for customers in California and the EU, you should get ahead of the curve and treat all of your customers like residents of California and the EU. That way, you aren’t caught flat-footed when a new law or regulation includes DSAR or RTBF provisions.
  • Build a comprehensive plan to assess and address data residency requirements: Many data privacy laws include data residency requirements that restrict where sensitive data can be stored or shared, with the general aim of keeping it in the same country or region as a given data subject (i.e., a customer in Brazil has their PII remain in Brazil). Because such requirements can be challenging to meet when your products or infrastructure weren’t initially designed to address data residency considerations, the best approach is to build a comprehensive plan to solve this problem for all customers and geographies.
  • Assess and reduce data privacy risks: You should ask yourself and your organization questions about the safeguards and controls you have in place to protect sensitive customer data. Questions like: Where does our sensitive data reside, and could it be more centralized to prevent data sprawl? Who has access to this data, how much, and for which purposes? Then, take action to implement safeguards to address any issues that you uncover.
  • Adopt a global privacy framework: The privacy industry has developed some industry standard privacy frameworks. To get started, I recommend reviewing the privacy framework from the NIST. You can find similar frameworks from other cybersecurity and privacy standards bodies.
  • Review FTC privacy consent decrees, the essential “anti-guide”: Closely reading FTC privacy consent decrees from companies that have made mistakes is a great way to avoid costly and embarrassing privacy missteps. As hotel and resort operator Wyndham Worldwide Group recently discovered, existing FTC consent decrees provide guidance on the practices that companies must avoid to steer clear of FTC enforcement actions. The FTC expects companies to be familiar with the existing body of privacy consent decrees, and avoid practices that resulted in previous FTC enforcement actions.

Following these recommendations puts your organization in compliance with common requirements that are present in most privacy laws and regulations. This vigilance moves you from a reactive approach of responding to each new legal development to a proactive approach where your organization is on the cutting edge of privacy protection and ready to quickly address whatever new regulations might come along.

Final thoughts

Adapting your business to ever-changing data privacy laws and regulations at the state and federal level one by one (a piecemeal approach) is a huge challenge that can be disruptive to your business. Worse, a piecemeal approach results in a patchwork of tools and one-off solutions that don’t scale or work well together. Many companies now realize that they need a new approach that’s both comprehensive and proactive to stay in compliance while remaining nimble.

Skyflow Data Privacy Vault isolates, secures, and tightly controls access to manage, monitor, and use sensitive data. By taking a proactive approach to data privacy where sensitive PII, PCI, and PHI data is stored in Skyflow, you can effectively isolate, protect and govern that data. This lets you get ahead of privacy regulations and deliver on the consumer demand for data privacy — the same demand that led to regulations like GDPR, CCPA, and the upcoming CPRA. By addressing the underlying need, you can be confident that you’ll be ready for whatever data privacy laws and regulations the future has in store for your business.