Join Transform 2021 this July 12-16. Register for the AI event of the year.
The lack of a federal data privacy law is a gaping void at the heart of present-day American competitiveness, and it’s growing larger every day. As consumers prioritize trustworthiness more than ever, they find it harder and harder to trust businesses, with Pew finding nearly 80% concerned about companies’ data practices. Meanwhile, companies themselves are grappling with a surge in distinct state-level requirements. Over 20 new privacy bills have already been introduced this year, and one week in March alone saw the introduction of New York’s A6042, Colorado’s SB21-190, and West Virginia’s HB 3159. It’s a welcome sight to see state legislators addressing public concerns about misuses and exploitation of personal information. But a patchwork of state-by-state privacy regulations is not a viable framework for actually restoring user trust in the internet, or for the advancement of American business interests in the wake of a pandemic. A federal law is the only way out of this data morass. In many important ways, patchwork state laws only sink us in deeper.
The US state-level privacy landscape
Here’s the current state privacy law landscape: California’s CCPA is the trailblazer and other states are quickly following the Golden State’s lead. Virginia’s Consumer Data Protection Act was signed into law with bipartisan support last month, and 18 states are actively considering their own bills. Each new bill comes with a descriptor like, “This bill resembles legislation in State X, but with the following key differences…” None of them are exactly the same in terms of either the rights they grant to citizens of the obligations they place on businesses.
In other words, America’s current privacy path will not deliver what it should: harmonization for Americans and their personal data. This patchwork of state-level requirements is actively doing the opposite, in fact. And in three key respects, this approach has significant, tangible costs.
The cost to businesses
First, state-level regulations cannot restore American businesses’ leadership in the international data economy. The US is playing catch-up while Europe sets global privacy standards, signified by its “A Europe for the digital age” initiative unveiled in late 2020. Because the EU found US data practices inadequate for handling EU citizens’ data, the US and the EU are now working to replace the invalidated EU-US Privacy Shield: an agreement relied upon by over 5,300 businesses for transatlantic data exchanges. EU leaders have specifically cited the implementation of a US federal privacy law as a stepping-stone to a new agreement. Without an agreement in place, SMEs are paying the price: in legal fees to complete data transfers and in local infrastructure to house data. Federal privacy legislation is a needed ingredient for SMEs to regain a competitive edge in data-driven business.
Next, patchwork state laws mean companies must grapple with growing lists of requirements for technical infrastructure. On the front lines of privacy tech, we see the technical effort needed for businesses to get into compliance with just one state law, the CCPA. This year’s batch of state laws are causing Technical & Legal teams untold confusion about how to best plan for 50 slightly different sets of business requirements. Ultimately, this confusion drives companies to view privacy as avoiding fines rather than building trust. Digital customer interactions are increasing drastically because of the pandemic — by roughly 25%, according to McKinsey. This shift enables companies to expand user-bases in faraway states, but it also puts those companies within the scope of more state-level privacy requirements. Further complicating compliance with additional laws is the opposite of what organizations need today: 44% of organizations listed lack of privacy awareness as 2021’s key data privacy challenge, and 67% didn’t believe they could sustain privacy compliance. A confusing patchwork will worsen knowledge gaps precisely when Edelman’s Trust Barometer says we need to be more information-literate than ever.
Of course, the ultimate utility of a legislative approach should be primarily assessed by its benefit to regular citizens. And here also, a patchwork approach to privacy law is a disservice to Americans. We know the public already has trust issues with the internet — 68% of consumers worldwide attest to not trusting companies to treat their data responsibly, and 52% of Americans decided against using a product/service because they thought it collected too much data, per Pew Research Center. And while one might say: “So? People still use Facebook,” recent trends show that Americans will increasingly “vote with their feet” when presented with viable privacy-conscious alternatives. A great example: the way users flooded to Telegram and Signal when Whatsapp unveiled sweeping, invasive updates to its data processing practices in January. Telegram signed up 25 million users in a mere 72 hours. Furthermore, market leaders like Apple are using privacy features as a point of product differentiation. It’s clear public appetite for privacy is impacting marketplace offerings. So what’s stopping the American public from attaining privacy literacy?
The problem is education. Pew Research Center finds that 63% of Americans report little or no knowledge of privacy regulations, yet 75% express support for greater regulation. If privacy rights aren’t set to a common federal standard throughout the United States, that education mission becomes substantially more difficult. Consolidated resources, decision-making, and messaging can all go a long way in bridging the education gap for American citizens — witness the public penetration of GDPR awareness in Europe. A state-by-state approach to privacy law nullifies any opportunity for economies of educational scale in America. If anything, it’s likely to leave the average citizen more confused than before.
The privacy build that businesses need
As federal privacy bills emerge, lawmakers should seize the opportunity to elevate the US to be a global leader in privacy while harmonizing privacy for businesses. Last month, Representative DelBene introduced the Information Transparency and Personal Data Control Act, and Senator Schatz reintroduced the Data Care Act. Just last week, Representative Jerry McNerney named a bipartisan federal privacy law a priority by the end of 2021. We must promptly fill the federal privacy void; but not just any privacy bill will do. The long-term legislative solution needs to codify comprehensive privacy rights for all Americans, like GDPR does for EU residents. The legislation must set clear applicability and enforcement criteria for businesses nationwide, and it must be strong enough to restore the international trust in US data systems.
In the meantime, teams should configure their privacy ops in compliance with GDPR. If you comply with GDPR, you probably meet the foreseeable privacy requirements.
Cillian Kieran is CEO and founder of privacy company Ethyca. He has extensive technical experience working with legacy enterprise organizations such as Heineken, Sony, Dell, and Pepsi, building data platforms, visualization tools, and leading strategic advisory in change management and data governance policy definitions, liaising with CIO, CDO and legal counsel.