The European Union (EU) and its member states enacted the General Data Protection Regulation (GDPR) just over five years ago in May 2018. While some regulators and users continue to debate the GDPR’s effectiveness, the law has undoubtedly changed the way businesses and government agencies collect, process, and store consumer data.
In a nutshell, the GDPR requires organizations to obtain consent for data collection, maintain data protection measures and deliver transparent privacy policies. The legal framework extends beyond the EU, impacting U.S. businesses that process and store data from EU countries — standing in contrast to the fragmented data privacy laws among U.S. states.
Without a comprehensive law that regulates how U.S. companies use customer data, businesses across the country must navigate compliance and operational challenges while consumers face potential privacy risks.
The state of consumer data privacy laws in the U.S.
A number of U.S. states, including California, Colorado and Virginia, have adopted data privacy laws in recent years, and several states have active data privacy bills in place with the potential of becoming laws. Similar to the GDPR, these statewide regulations require businesses to offer clear and comprehensible privacy notices to consumers.
While these regulations promote and protect consumer data privacy for residents in applicable states, the lack of a national standard in the U.S. creates confusion and operational complexity for businesses. For example, under California law, businesses can sell consumer data without their consent as long as users are at least 16-years-old. But the minimum age stands at 13 in many other states, which means organizations operating nationally must navigate a patchwork of regulations while delivering a consistent customer experience.
Maintaining compliance with fragmented regulations has become cumbersome and resource-intensive, but failure to remain compliant poses an even greater financial risk because of hefty penalty fees. Moreover, disparate laws fail to offer consumers adequate control over their data, making their personal information more susceptible to unauthorized access.
These challenges raise a set of important questions: Could a federal data privacy law in the U.S. enhance consumer privacy rights? And could it solve compliance and operational challenges for businesses?
Would a national data privacy law help?
A federal data privacy regulation in the U.S. would benefit both consumers and businesses by advocating for consumer data privacy rights and simplifying compliance. If the U.S. enacted a data privacy law with consequences for noncompliance similar to the GDPR, it would force businesses to prioritize data security and create adequate data management processes.
Additionally, by including provisions such as “the right to be forgotten” — which requires businesses to remove or render a consumer’s personal information useless upon request — consumers can regain control over their data.
While the advantages of a federal data privacy law are clear, the future of such a framework remains uncertain. But organizations navigating today’s complex data privacy landscape can stay one step ahead by designing platforms that comply with the most stringent privacy regulations.
For instance, if only a few states require businesses to delete user data once it’s no longer necessary for the intended purposes, a business launching a new mobile application should set data retention standards compliant with the regulations in those states. And if those state laws vary in rigidity, it’s wise to comply with the most stringent state’s regulation. So, if other states adopt a similar law, the organization’s application already has the right data retention framework in place.
Additionally, it’s wise for business and IT leaders to revisit their current data protection practices and consider using tactics such as tokenization to secure consumer payment and personal data. Tokenization encodes personally identifiable information (PII) with a random string of numbers that’s stored on servers, rather than the sensitive information itself — which makes data useless to bad actors in the event of an attack. So, even if an organization experiences a data breach, consumer data remains secured and the process of notifying customers of the breach becomes much less taxing.
A federal data privacy law in the U.S. would establish a unified standard for data collection and storage across states. More consistent and comprehensive protection of personal information enables businesses to operate more efficiently and helps consumers avoid uncertainty when it comes to the security of their personal information. And by prioritizing data privacy and protection today, organizations can proactively mitigate the need for significant operational changes should a federal privacy mandate become law.
Tim Barnett, chief information officer, Bluefin