Federal data privacy legislation in the United States is looking increasingly likely to pass in the foreseeable future. This renewed outlook is a stark change for those who remember previous legislative proposals, like the 2009 Personal Data Privacy and Security Act that never received a floor vote.
One reason for the shift is likely increased consumer concern in the wake of countless high profile breaches that have occurred in recent years. Another factor is certainly the complex, confusing, and conflicting patchwork of laws and regulations in the United States, with individual state laws, industry regulations, and even international rules often applying to a given business.
Regardless the reasons for the shift, we have noticed a marked increase in questions about the actions companies can take as a reaction to these legislative efforts. This two-part series will focus on two actions that companies can take to prepare for potential data privacy legislation: first, understand the proposed rules, and second, conduct a data assessment and address risks.
Some of the many proposals by federal lawmakers include:
- The Data Broker Accountability and Transparency Act, which would apply to “data brokers” and provide consumer rights that are similar to those under GDPR and the California Consumer Privacy Act;
- The Application Privacy, Protection and Security Act, which would primarily apply to phones and the apps available on them;
- The Social Media Privacy and Consumer Rights Act, which aims to introduce additional privacy related rights and protections to social media platforms.
- The Consumer Information Notification Requirement Act, which would empower the Federal Reserve and Comptroller of Currency and would likely impact the insurance industry; and
- The Consumer Data Protection Act, which would amend the Federal Trade Commission Act, allowing the FTC to enforce data privacy and security standards and provide for the possibility of 10-20 year jail sentences for some violations.
- The Data Care Act, the most broadly applicable proposal, would appear to impose significant duties to “online providers” such as duties of care, loyalty, and confidentiality, but would not “modify, limit, or supersede” other federal or state laws on privacy or security.
- The American Data Dissemination Act, which would require the Federal Trade Commission to propose initial data privacy rules, allow Congress to make changes to them, task the FTC with enforcement, and supersede state laws.
Private companies are also actively weighing in. Representatives from IBM, Google’s parent company, Alphabet, and Intel have all proposed legislative frameworks with broader scopes that are less industry or technology specific.
Notably, there appears to be general agreement around including breach notification standards, and many seem to favor creating GDPR-like rights and duties, like required risk assessments and rights of access, correction, and deletion.