C3 has merged with Ingalls Read Press Release >>

The Current State of U.S. Privacy Law

It’s 2019, and data privacy has never been more important. This is what's going on in U.S. data privacy law today.

It’s 2019 and data privacy has never been more important. In 2018, we learned that repeated, systemic abuses of our privacy by tech giants like Facebook may be the commonplace among the many companies that gather and sell our data.

So why aren’t there more laws to protect us? Glad you asked. Here’s what we see going on with US privacy law today.

Consumer demand for data privacy is increasing.

When the European Union’s General Data Protection Regulation went into effect last year, it made global headlines—and for good reason. GDPR is the most comprehensive legal protection for privacy in effect, and enforcement is already being applied to companies outside of the EU. With both consumers and tech companies calling for action, there’s a strong chance that data privacy legislation is finally coming to the US.

There’s already been some movement.

In our data-centric economy, many states have already adopted some form of data privacy law—usually in the form of requiring companies report when they suffer a data breach.

As we’ve blogged about in the past, states like Massachusetts and California have taken progressive steps to enforce stronger protections for individual privacy. With data breaches increasing in magnitude, frequency, and impact, it’s high time for a unified federal framework for protecting privacy.

In Congress, senators Blumenthal and Wyden are taking the lead on privacy legislation.

In fact, Sen. Wyden has already published a fully-formed privacy bill. We assume this bill was heavily influenced by Chris Soghoian, Wyden’s Senior Advisor for Privacy and Cybersecurity, and we are big fans of his perspectives on privacy.

While we don’t yet know how this or similar legislation will unfold, here’s what we predict.

Personally identifiable information (PII) will be even broader.

Wyden’s Consumer Data Protection Act (CDPA) defines personal information as data “reasonably linkable to a specific consumer or consumer device.” So PII could be anything from email addresses to birthdays, usernames, zip codes, or gender—basically any information a company might collect to link an individual to his or her online activity, behavior, or preferences.

People will want to know what data companies are collecting about them.

When Mark Zuckerberg appeared before Congress last year to defend Facebook’s involvement with Cambridge Analytica and other privacy scandals, many ordinary people began demanding more power over their own data. Senator Wyden’s bill would give consumers increased control over how their data is shared. It requires companies to let consumers see what personal data they are holding and to fix any inaccurate data, as well as provide an option to opt out of that data being shared with third parties.

Risk assessments will become the norm.

These are a big part of Wyden’s privacy requirements. The proposed law requires assessments on data minimization, storage duration, and accessibility.

So will compliance reports.

The bill also asks large companies to provide an annual data protection report as proof that they’ve taken these measures. Good.

And those who don’t comply will likely be fined.

Wyden’s bill states that non-compliant companies could incur fines up to 4% of total revenue, so it’s no joke. It’s definitely a good idea to get moving on classifying and securing your data. And guess what: we can help.

Privacy and security are becoming one.

Privacy and security are converging into a unified concern for both businesses and individuals. Data points like location history, online buying habits, and who you interact with in your social network are—thanks to advances in big data and machine learning—aggregated and analyzed to the point of being a security risk.

Databases and consumer profiles may know more about us than we know about ourselves, and that risk extends to businesses protecting their own interests as well.

Information security practitioners are well-equipped to measure and mitigate business risk. With privacy issues increasingly becoming a top concern, many companies are beginning to view privacy and security as entirely interrelated concerns. Changes to privacy law are likely to introduce substantial fines for non-compliance, and businesses are well-advised to pay attention.

We recommend getting a head start.

Though we don’t know what federal privacy law will ultimately look like, it’s clear that new laws and enforcement are coming. It’s never too early to start preparing. Whether that means getting a risk assessment now, or simply figuring how you’re planning to keep your customers’ data safe, if you don’t already have a data privacy and security strategy, now is the time to get started.

Happy Data Privacy Day, everyone!