In 2020 during the COVID-19 pandemic, data became the lifeblood of the digital economy due to the shift to digital consumer behavior and the reliance on contact tracing to help curb the virus spread. Especially with many Americans now saying they want to continue to interact with brands online post-pandemic, it was inevitable that those changes would reignite the conversation about data privacy, security and the benefits of greater regulation.
Brands have long walked a delicate tightrope between tracking for commercial purposes while ensuring the privacy of the data is compliant with a hodgepodge of regulations. Now, could the changes of the last few months be what America needs to finally enact a federal privacy law? Is a United States privacy law (inspired by the GDPR) now viewed as necessary? And are brands ready to meet the next data compliance requirements?
GDPR, CCPA. is a United States national privacy law next?
Before we can look at the potential of data privacy legislation at a national level, let’s first reflect on what has happened before (and how it’s influenced how we think about a federal law today). The General Data Protection Regulation (GDPR), an EU law that went into effect May 2018, signaled the beginning of a long line of regulations and legislations that highlighted the importance of users’ privacy and data protection (and harsh penalties for those who violated it).
Shortly after its implementation, California, the United States’ largest economy, enacted its own legislation, the California Consumer Privacy Act (CCPA), inspired by the GDPR, using some of the regulation as a foundation, while including newer protections. Like its international cousin, the act enhanced privacy rights and consumer protections to not only California citizens but customers of California businesses.
Similar to GDPR’s influence, CCPA and the California Privacy Rights Act, commonly known as CCPA 2.0 due to the act’s significant updates to the original CCPA (like the creation of a Privacy Protection Agency in California) have inspired other states. California’s laws were influential in drafting Virginia’s Consumer Data Protection Act (CDPA) and the (now failed) Florida Privacy Protection Act. Once legislators and businesses see what’s working well, they’re able to lay a foundation for their respective bills.
I’ve only listed a few pieces of state legislation; there are over 30 states with bills that are close to passing or in early stages of being drafted. Colorado’s Privacy Act may have been passed by the time this article has been posted. It’s no wonder American brands are experiencing a lot of apprehension with regards to how to stay compliant.
With so many laws at the state level, some privacy experts think a national law could make one or another redundant. For a number of invested parties, it would make things more straightforward, but only if it took precedence over state laws. A national law could potentially make efforts like enforcement clearer and more streamlined. Furthermore, the U.S. could join the likes of the EU, which is seen as the leader in privacy on the world stage.
Last year alone, we saw a number of privacy-related policies pass across America, including a Massachusetts bill that gave consumers new protections for their vehicle data, which was popular among 75% of state residents and Michigan’s Search Warrant for Electronic Data Amendment, which had little trouble passing with a 89% majority. Laws that have already been passed will be influential in drafting federal law.
But there are others that are nervous. Some think a national law only makes the mismatched patchwork of state laws more confusing. Is private “right of action” included in Mississippi? What’s the definition of “sensitive personal data” over in Nevada? This is a compliance nightmare for brands that do business in more than one state. A national U.S. privacy law could end up being a juggling act for years to come given the varying state legislation and continued changes in technologies and attitudes toward privacy.
How soon should brands be getting ready for a U.S. national privacy law? It depends. While it won’t happen overnight, many say it may happen in this administration. President Biden’s administration is filled with members of Obama’s administration, who worked on the “Obama Consumer Privacy Bill of Rights.” Former President Obama established a Federal Privacy Council and even issued a Privacy Bill of Rights, which was “designed to create a framework for federal privacy regulation.” If it’s going to happen, it may likely happen over the next four (or eight) years.
So, what can brands do to prepare and stay compliant with the state and industry-specific hodgepodge of regulations in the meantime?
Prepared for tomorrow, today
If a national privacy law is on its way, it’s safe to say that it’ll borrow elements from CCPA and GDPR. While there are seven main principles for GDPR, the most important one is transparency. I believe that transparency is vital to building trust between the business and the consumer. So, brands should firstly audit whether they are currently upfront and transparent about how they use customer data, and consider ways to integrate data transparency into the users’ everyday online experience. Understand what data your organization collects, from whom, for what reasons, and what the end goal may be for that data. You can’t protect data or competently respond to customers if you don’t know what you have or where it is. When you know what data you collect, focus on the why. Why do we collect this information? Do we really need it? More data isn’t necessarily better data. Be responsible; it’s not yours, after all.
A practical way to then implement transparency around data privacy is with a pop-up or banner delivering data opt-in choices to the customer front and center when a user visits your site or app. Although potentially, an automatic opt-out system could be what eases the friction to be approved legislatively. The element of needing to opt in shouldn’t be mandatory, and the default should be opted in unless you reject it. It gives the best of both worlds. On the one hand, you are being transparent and explaining that you are using data for specific reasons, and on the other you are giving a clear and deliberate option (e.g. button) to opt out.
I’d also recommend at least being familiar with the latest rules, whether that’s GDPR, CCPA or a newly introduced state law. Manually ensuring data privacy of an organization’s users is easier said than done. Unfortunately, the regulatory landscape is more confusing than it has ever been, especially with the rise of different regulations and updates to previously approved ones (like CCPA 2.0 in California). Plus, in our globalized world data is flowing from one country to another (springing up legal battles in case a company in California inappropriately uses data from a resident in Ireland, for example). Work with a compliance management technology partner that can help manage the process of staying compliant as the rules change for you.
Stay attuned to attitudes towards privacy from your customers and among other brands, as well as at the legislative level. While there is no set date for a national privacy law, organizations should be prepared to be ready for one now because your customers expect you to take data privacy seriously. The implications of not being transparent with users goes beyond fines; a bad reputation is harder to bounce back from. Evaluate the risk with the increased concern and awareness in the market and then decide what you should do next. Consider your data privacy plan like you would an insurance policy on your vehicle. It’s just as serious. It’s better to have it in place and not ever be charged than to be charged and not have it in the first place.
After years of data misuse consisting of mishandling, tracking and selling people’s data for marketing purposes with little to no knowledge from or transparency with consumers, brands must work to show they want to do right by users and their data. Federal law or no federal law, they shouldn’t wait: the time is now. Being compliant with current regulations is the first, great step to ensuring that not only will data be protected and trust preserved, but a brand will be ready for the United States’ take on a national privacy law.