With the introduction of the General Data Privacy Regulation (GDPR) over two years ago in the EU, the question of whether the US will ever follow suit, adopting a similar regulation of its own, has circulated in the data privacy community for some time now.
Although the US has frequently been accused of lagging behind other jurisdictions when it comes to consumer privacy, the last few years have seen some notable changes to the US privacy landscape. In this context, could a change be on the horizon?
The US privacy landscape
Currently, US businesses over a certain size must adhere to GDPR when handling the data of EU citizens, but no central consumer privacy regulation, or data protection authority aside from the Federal Trade Commission (FTC), exists in the US itself.
Instead, there are several federal privacy laws that focus on specific areas, such as the US Privacy Act of 1974 and laws protecting health data, children's online privacy and financial information.
According to data security company Varonis, this lack of federal regulation comes from a desire to foster innovation, which it refers to as a "break it and see what happens" mindset, with the current administration taking a "business friendly" approach, sometimes at the expense of personal data protections.
“Gaining support for legislation has proved a struggle, especially contending with the powerful tech lobby.”
This mindset became especially apparent after companies behind infamous data privacy events, such as the Cambridge Analytica scandal, received minimal consequences for their actions. Although the FTC has issued a $5bn fine to Facebook, when it comes to Silicon Valley giants, this is a "seemingly inadequate, unconscionably delayed, and historically hollow result", according to Senator Richard Blumenthal.
According to the Washington Post, there was a "flurry of new privacy-related legislation" proposed following the Cambridge Analytica scandal, such as the Consumer Online Privacy Rights Act proposed by Senator Maria Cantwell or the United States Consumer Data Privacy Act proposed by Senator Roger Wicker.
However, gaining support for such legislation has proved a struggle, especially contending with the powerful tech lobby, although some tech companies have come out in support of federal privacy regulation.
In the absence of robust federal legislation, state-specific legislation has emerged.
“Many states have and are planning to implement more data protection regulation and this is changing the way that American businesses are thinking about and planning to use the data that they collect,” says Darren Wray, CTO at data privacy experts Guardum.
“Data is, after all, big business; you only have to look at some of the business plans for Silicon Valley start-ups over the last few years. In many cases, their approach could be summarized as ‘collect as much data as possible and monetise it’. New startups are starting to look at things a little differently and are beginning to recognise that such a wild west approach doesn't have the longevity that investors are increasingly looking for.”
Currently, only three US states - California, Maine and Nevada - have signed data privacy acts, with an additional 18 at various stages of the legislative process.
In July, the California Consumer Privacy Act came into force, widely regarded as the most comprehensive consumer privacy regulation to be introduced in the US so far.
The act “grants California consumers robust data privacy rights and control over their personal information, including the right to know, the right to delete and the right to opt-out of the sale of personal information that businesses collect, as well as additional protections for minors” and imposes fines for intentional and unintentional violations.
“Such a wild west approach doesn't have the longevity that investors are increasingly looking for.”
Since then, Walmart has been hit by a CCPA lawsuit after a California resident allegedly had his data held by the company stolen, causing “significant injuries and damage”.
“Since the US lacks federal-level privacy regulation similar to GDPR, the likes of statewide requirements are left to drive conversations around protection of personal information,” Chad Mcdonald, CISO and vice president of customer operations at Digital.ai, tells Verdict.
“CCPA in particular has forced the hand of organisations storing or processing personal information across the US. While GDPR really set the stage for privacy enforcement, CCPA has been the only reasonably effective legislation in this area since HIPAA in 1996.
“There was an attempt at privacy regulation through Privacy Shield but it ultimately proved ineffective and most organisations seem to defer to GDPR as the standard for defining the appropriate handling of personal information.”
Earlier this year, the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD) came into force. The act broadens the definition of a data breach, sets out requirements for “reasonable data security, provides standards tailored to the size of a business, and provides protections from liability for certain entities” and requires businesses to notify New York residents if their data is mishandled.
“More and more states are ‘getting on the bandwagon’ by expanding privacy rights and the scope of the definition of privacy, often with increasingly proscriptive consequences,” Robert Cattanach, partner at international law firm Dorsey & Whitney, tells Verdict.
“These initiatives may, or may not, be well founded in the sense of addressing a demonstrated need, but if state legislative leaders are inclined to make this a signature issue in an election year, there is little organised opposition. There appears to be an atmosphere of ‘one upmanship’ among some of the more progressive legislatures, and the recent EU decision on Schrems has, if anything, accelerated this trend.”
Privacy Shield ends: The fallout
More recently, a significant change to the US data privacy landscape came in the form of the ending of the US-EU Privacy Shield.
This previously allowed the transfer of personal data between the EU and over 5,000 US companies, but was invalidated by the The European Court of Justice as “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”.
For the US companies that relied on the Privacy Shield for the transfer of data, this will mean an urgent adjustment of their data handling practices in terms of where the data they hold on EU citizens can be processed.
“Many organisations are still working through some of the ramifications of this change.”
“Many organisations are still working through some of the ramifications of this change,” says Wray.
“In the immediate term, companies have scrambled to react, with many of those who were operating under the EU-US Privacy Shield turning to Standard Contractual Clauses to replace their reliance on the now-defunct Privacy Shield.
“Those with more than half an eye on the future are likely to realise that Schrems 3 is likely to target those clauses, meaning that SCCs may not be valid in five year’s time (it is five years since the collapse of the Safe Harbor agreement, the predecessor to Privacy Shield which was taken down by the original Schemes case).”
It is clear that, while legislators may be slow to act in this area, businesses are now under pressure to comply with various regulations, creating an increasingly complex regulatory environment.
Is federal legislation on the cards?
The question that looms over any discussion of US data privacy is whether overarching federal regulation is on the cards, with many data privacy experts fearing that state-specific rules could create a “patchwork of regulations”.
While state legislation can be seen as a step in the right direction, the last few years have seen data privacy receive attention from the general public on a previously unprecedented scale, leading calls for overarching legislation to grow louder.
The Electronic Privacy Information Center has campaigned for the creation of a US data protection agency, describing current privacy laws as “woefully out of date and fail[ing] to provide the necessary protections for our modern age”.
Non-profit advocacy group Public Citizen has also campaigned for “privacy and digital rights for all”, calling for privacy laws that are “decades out of date” to be updated.
The issue of data privacy has also gained new urgency due to the Covid-19 pandemic and the potential rollout of contact tracing in the US in the future. SonicWall CEO Bill Conner tells Verdict that “the US is doing a lot of work on [contact tracing], and has talked a lot about it but it's all kind of behind the curtain at this point”.
Rolling out a form of contact tracing without robust consumer privacy protection risks the misuse of geolocation and personal data.
“Unless significant change is applied to address the legal flexibility that individual states have, I believe that the US will continue to lag behind at a state-by-state level.”
Chris Strand, chief compliance officer at IntSights, believes that the US data privacy landscape is evolving, in part due to a greater awareness of the issue.
“The US information privacy and data security landscape has evolved to a greater maturity on the use of data as well as the definition of what constitutes sensitive data,” he says.
“There is much more awareness and focus on data protection with every significant information privacy law that is passed. I have noticed a positive shift across the industry that is driving more attention on ensuring security controls are given proper diligence around the data they are supposed to be protecting.”
He believes that this could one day lead to overarching legislation resembling GDPR.
“Unless significant change is applied to address the legal flexibility that individual states have, I believe that the US will continue to lag behind at a state-by-state level,” he explains.
“A federal-level data privacy law would definitely help address this though, and if that law hits the mark on meeting variables found in the likes of the CCPA in California, that could help the US catch up and possibly mature past other landscapes.
“[A federal privacy law] has been on the cards for the past couple of years and there have been numerous privacy bills proposed to the US Congress.
“I believe there will be a point where it will make sense to pass a federal law that provides the foundation upon which individual State laws can be configured. When that time comes, I suspect that a federal law will look very similar in nature to either the GDPR or the CCPA.”
Slow progress ahead
For businesses, it is expensive and impractical to abide by a multitude of different privacy regulations, which has led some to call for federal data privacy laws.
However, opinions from the tech community on whether this will become a reality are mixed.
According to Varonis's Andy Green, it is “perhaps only a matter of time before a federal law is introduced to create a level playing field”, but other experts fear progress in this area could be slow.
“US privacy protections will not improve under the current administration,” says Digital.ai’s Mcdonald.
“Should the upcoming elections shift political control? That possibility exists. In the interim, little if any protections for the individual will come from the federal government. State-level protections are possible, but Covid-19 response has likely taken precedent over such legislation.
“Strict state-level protections are likely in the cards for Democratic-controlled state governments. As is typical in the US, progressive states will likely lead the charge (California, New York, Massachusetts, etc.) and ultimately build consensus before federal action follows. Political divisions will continue to slow this process within Congress or subsequently in the courts.”
Dorsey & Whitney’s Cattanach echoes this, believing that only once state-by-state legislation becomes unfeasible will federal regulation step in.
“Little if any protections for the individual will come from the federal government.”
“Once the pain becomes unbearable, Congress will swallow its differences and adopt a federal standard. That is unlikely to happen anytime soon (e.g. this legislative session) but medium term – e.g. next 2-4 years – seems increasingly likely,” he explains.
However, for others, it may not be a matter of state versus federal legislation at all, with a hybrid approach also a possibility.
“On the face of it, a federal data privacy law makes a lot of sense; businesses, for example, have to comply with a single regulation rather than potentially 52 variations on a theme for those who operate across the USA,” says Guardum’s Wray.
“There are, however, downsides, in that most federal level laws in the US tend to be prescriptive (you must do A, B and C to comply) rather than risk-based (you must take proportionate steps based on the data you collect and process). This could mean that any federal regulation could be less stringent than those implemented by the individual states.
"Ultimately it is likely to end up as a hybrid solution, with the federal regulation determining the minimum requirements and some individual states implementing their own additional requirements on top where they feel particularly strongly about a requirement.
“This is very much the norm in the USA, where California will very often lead the way in respect to environmental and data issues, creating legislation that fills in the gaps as they see them.”
Back to top