Most US citizens got their first taste of new privacy controls when their inboxes were flooded with privacy and personal information collection statements leading up to the May 25, 2018 imposition of the EU General Data Protection Regulation (GDPR). While the average American is notorious for willingly handing over his personal information to marketers, GDPR is giving privacy advocates and policy makers pause.
Should the US finally join the 53 countries that have passed stringent privacy laws?
The short answer is that privacy legislation in the US is not likely arriving anytime soon. Consider the fact that it has been thirteen years since the first federal data breach disclosure law was brought to a vote in the House of Representatives. The hope at the time was that a federal law could supersede the many State laws, making it simpler for companies to comply. Instead of what is now 45 separate State laws, there would be only one.
It would take extraordinary circumstances for Congress to push through any sort of privacy regulation, considering the strong forces that would rally against new regulations that would impose penalties on the stalwarts of the US tech economy – Facebook, Google and Amazon, to name just three.
The White House is with the possibility raised of an Executive Order, which certainly would be a fast track action. It’s worth noting, though, that the first step was to consult with those tech giants, which doesn’t indicate we’ll see anything stringent passed anytime soon.
In the meantime, the California legislature pushed through a State privacy regulation that served to fend off a ballet proposal in November. The California Consumer Privacy Act of 2018 is not slated to go into effect until 2020. This gives the legislature time to revise it, something that is easier to do with a law than a ballet proposal.
This new California law gives consumers more control over how their data is used. While it does not explicitly provide for ‘the right to be forgotten,’ a key measure of GDPR, it does give consumers the right to request that their records be deleted and requires businesses to comply with those requests. One can imagine that as Google, Facebook, Apple, and others hone their ability to erase the records of EU data subjects on demand and in California, that State law makers (and courts in civil suits) will start to require such actions in every state.
Unlike GDPR, California limits the purview of its regulation to businesses with over $25 million in revenue, and those which collect information on more than 50,000 people. Other States are scrambling to enact their own privacy regulations, setting the stage for another breach disclosure mess. Lawyers will have to ensure that their employers or clients are in compliance with a plethora of State laws, with the most stringent becoming the catch-all for the rest. Congress will have to pass a national law that is at least as stringent as the most onerous of the States’ if they want to have an impact.
Of course, a regulation is only the first step. An enforcement mechanism must also be created. The EU already had data protection supervisors in most countries when GDPR went into effect. In the US it will fall to the State Attorney Generals and possibly the Federal Trade Commission (FTC). to enforce privacy regulations. Budgeting for that is a concern that will need to be addressed.
Don’t forget that in the rest of the world, privacy regulation is aimed squarely at large US companies; $5 billion was recently levied against Google. In the US, proposed regulations face the gauntlet of strong lobbies in favor of US tech companies such as the Information Technology Industry Council and the technology committee of The Business Roundtable, a lobbying group made up of US CEOs including Apple’s Tim Cook, IBM’s Virginia Rometty and Verizon’s Lowell McAdam.
The time is not ripe for a US version of GDPR. Headwinds from lobbyists, and a reluctance to impose costly regulations will prevent a federal privacy law from making progress. That said, look to the States to enact privacy regulations that will act as effective requirements for US companies.