U.S. companies have watched over the past year or so as companies within the European Union’s domain have fallen victim to heavy fines from violating the terms of GDPR. With data breaches and privacy violations now being commonplace throughout the world, it might seem concerning to some that U.S. companies do not face the same consequences for not protecting personal data. In reality, U.S. companies do face consequences, but they can be complicated.
Firstly, a company’s obligation to a person affected by a data breach depends in part on the laws of the state where the person resides. Each state varies with some offering free credit monitoring for a given amount of time or may be notified sooner than someone in another state. Companies themselves are also under the jurisdiction of the state where they are headquartered or primarily do business. In addition to state laws that differ based on geography, most federal privacy laws are written to regulate specific industry sectors. Overall, the U.S. is falling short in protecting personal data, but does have specific and prescriptive regulations for collecting and handling financial data, health data and children’s data.
The increased frequency and scope of data breaches, along with the patchwork of varying data protection requirements by state underscores why the federal government is considering a sweeping, national data privacy law that will hold more businesses accountable for protecting data. However, some states are not wasting anytime.
Starting this January 1, Gov. Jerry Brown’s California Consumer Privacy Act (CCPA) will officially be in law. The new legislation aims to provide consumers with specific rights over their personal data held by companies. Privacy advocates say it is generally positive, being very similar to GDPR, and that it provides flexibility for continual refinement of the requirements in the future.
Although the CCPA will be good for consumers, companies under the law’s domain will have to make significant efforts to implement the requirements. It will add yet another layer in the scheme of divergent U.S. data protection laws that companies already struggle to reconcile. However, the CCPA is the first law of its kind in the U.S. and it could set a precedent for other states. Because it applies to most companies who do business with individuals residing in California, the sweeping new law promises to have a major impact on the privacy landscape not only in California but in the entire country.
Paving the Way to Federal Law
The passage of a cohesive U.S. federal privacy law, one that will preempt additional state laws, is gaining momentum. It has strong bipartisan congressional support and several large companies from a variety of industry sectors have come out in favor of it, some even releasing their own proposals. However, the likelihood of it passing in the next few months is slim.
In order to pass one single privacy framework, it must include flexibility and scalability to accommodate differences in size, complexity and data needs of companies that will be subject to the law. It will take several months of negotiation among lawmakers to agree upon how the law would be implemented. Some considerations include:
Under what circumstances will companies be exempt from certain requirements?
Who will regulate and enforce the law?
Where would the funding come from?
How far will the new lawmakers be willing to go to protect consumers?
As organizations and consumers alike wait for the passage of a national privacy law and then for it to actually take effect, they must continue to monitor developments in both state and federal privacy law and adapt as necessary.