US Data Privacy - Preparing for increased regulation
Adam Smith the economist once said, “Consumption is the sole end and purpose of all production; and the interest of the producer ought to be attended to, only so far as it may be necessary for promoting that of the consumer.” The consumer, in the context of privacy and data protection, is the data subject, and personal information is what is produced. Adam Smith believed that from an economic perspective, consumers should control the conversation.
In the US, the conversation about privacy is regularly focused on economics. So, does that mean individuals in the US don’t care about an individual’s fundamental rights associated with personal information? Not at all!
Individuals in the US care deeply about the fundamental rights associated with personal information. However, it manifests itself in a unique way because of the legal framework in which these fundamentals rights evolved. Just like in any other country or region, the history of the US has shaped its modern-day approach to privacy. Let’s look a little deeper into the history of privacy in the US and how it relates to the global privacy and data protection conversation about fundamental rights.
In the United States Private Sector, the conversation associated with privacy and data protection has been an economic one with a focus on the balancing of rights as described by Adam Smith. But, if you look beyond the economic conversation into the historical fabric of conversations associated with U.S. government access to and use of the personal information of its citizens, the conversation is about fundamental rights. This includes government organizations (public sector) and quasi-public sector organizations and aligns closely with the current global conversation about an individual’s fundamental rights associated with personal information.
For example, the US Constitution is all about limiting the rights of the US Government. And that applies to the personal information of its citizens. In the US Public Sector, Fair Information Practices were established in 1973. These are principles the US Government must follow when processing personal information in the US. These principles include:
- Data subject rights, including notice, choice and consent, and data subject access.
- Processing controls, including information security and information quality.
- A focus on the whole information life cycle, including collection, use and retention, disclosure, and destruction.
- Management of personal information, including management and administration, monitoring and enforcement.
These Fair Information Practices (FIPS) resulted in the US Privacy Act of 1974. This fundamental right to limit government’s use of personal information is derived from the 4th Amendment of the US Constitution (as well as the 1st, 3rd, 5th, 9th and 14th Amendments) which is evident in sectoral laws and judicial decisions throughout the history of the US to the present day.
Sectoral Approach to the Private Sector
The approach to privacy in the Private Sector evolved in a very different way because of the way the US was founded and the philosophies and education of its Founders. They focused on individual freedoms which included economic freedom. Personal information has always been a commodity in the US, and the balance between personal freedom and economic freedom has been regulated and associated with personal information in specific commercial sectors, such as marketing, health, and finance. This has resulted in US Federal and State sectoral privacy laws.
However, technology has evolved and matured at an exponential pace, and the sectoral laws and regulations have not been updated at the same pace. Consumer understanding also grew at a slower pace so when personal information could be given in exchange for free services, consumers were quick to adopt the convenience and quality of life being offered, and private sector technology companies were free to process personal information with limited consumer or legal restrictions. Governments also started to realize the value of the information being collected and modified the laws to gain access to the information technology companies were amassing.
Merging the Public and Private Sector Ethos
The level of knowledge and understanding of consumers is quickly catching up to the technology being used. Consumers now understand that nothing is free and that technology providers have amassed so much information that every individual using technology has a virtual persona being tracked by many organizations. Consumers also now understand that without this personal information the conveniences they have grown accustomed to, and in some cases entitled to, require data to run.
The response in the US is a demand for controls on the technology offered by the private sector; similar to the FIPs laws and regulations that exist for the US public and quasi-public sectors.
Federal Omnibus Privacy Law
We are often asked whether the US will finally join the global revolution and enact a US Federal omnibus privacy law. Given the history, background, and legal framework we just discussed, the answer is a complicated one. And while there have been several bills introduced at the Federal level to do just that, there are several hurdles that must be overcome. For example, each US State and Territory now have a Data Breach Notification law. Will these laws be superseded by the Federal law (otherwise known as preemption) or will there be an exception (or derogation) for stricter US State laws? Will the Federal law allow for a private right of action by data subjects? This has proved to be a particularly contentious topic at the state level.
There is increasing pressure internationally to provide equivalent levels of protection for the personal information being processed in the US. In order to continue working globally US-based companies need an efficient schema of laws which will create that similar playing field and allow for efficiencies, provide clear requirements that are actionable, and allow businesses to function at the speed of business.
My crystal ball is a bit cloudy, but I’m leaning toward a Federal privacy law that allows US States to have stricter laws in certain areas of the law. As to the private right of action because the US is such a litigious society, there will be significant push-back. But I believe a private right of action may make an appearance with appropriate caps on damages.
In the meantime, several current US Federal laws provide privacy and security laws and regulations at the federal level:
- Healthcare sector which includes the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Genetic Information Nondiscrimination Act of 2008 (GINA), Health Information Technology for Economic and Clinical Health Act of 2009 (HiTech), Confidentiality of Substance Use Disorder Patient Records Rule, and the 21st Century Cures Act of 2016.
- Financial sector which includes the Fair Credit Reporting Act of 1970, the Fair and Accurate Credit Transactions Act (which has disposal and red flags rules), Gramm-Leach-Bliley Act, Dodd-Frank, and anti-money laundering laws.
- Education sector which includes Family Educational Rights and Privacy Act (FERPA), Children’s Online Privacy Protection Act (COPPA).
- Telecommunications and marketing sectors which includes Telephone Consumer Protections Act of 1991 (TCPA), the Telemarketing Sales Rule of 1995 (TSR), the National Do Not Call Registry, Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), Cable Communications Policy Act of 1984, Telecommunication Act of 1996, Communications Decent Act (Section 230) (CDA), Video Privacy Protection Act of 1988 (VPPA), and Video Privacy Protection Act Amendments Act of 2012.
State Privacy Laws
Under the doctrine of preemption where US federal law does not specifically prevent legislation the US states have power to make laws. Some of the sectoral legal areas associated with privacy and data protection that have been left to the states are:
- Consumer protection,
- Data breaches,
- Data destructions,
- Information security,
- Workplace privacy (pre, during and post-employment).
The area of consumer protection laws is where most of the legislative activity is occurring and it is the most visible from a media perspective. California has passed the California Consumer Protection Act, with a successor law called the California Privacy Rights Act. There are also several amendments and regulatory updates that have been introduced, as well as a California omnibus law which his currently in committee. Nevada passed a consumer protection privacy law and they have introduced a subsequent law. Consumer protection privacy laws have been passed in Maine, Vermont, and Virginia, and Florida was just passed in the House of the state legislature. Texas and so many other states have privacy laws in committee review and yet others have no activity at all.
Other consumer-facing laws, regulations, and codes of conducts that have made an appearance at the state level are focused on biometrics, artificial intelligence, and location tracking, which add to the patchwork quilt that is privacy at the US state level.
Patterns and Trends
US States are becoming very active in the absence of a Federal US privacy law. Watch for increasing activity at the state level and even the introduction of state-level omnibus laws similar to the one that has been introduced in California. There will be increasing pressure on the US Federal government to pass a Federal level omnibus privacy law.
How to Prepare
- Build your privacy and data protection program based on solid global privacy principles for a more agile program.
- Appoint a single person to monitor current patterns and trends and update the rest of your organization’s privacy and security community.
- Document your policies, procedures, processes associated with privacy and data protection, then automate, automate, automate.
If you will follow these basics, as the US (and global) laws and regulations evolve your organization won’t get whiplash as the laws and regulations evolve or require you to take un-natural steps that your organization isn’t prepared for. Design a privacy and data protection program with the future in mind, which will require you to invest today for tomorrow. But it will be well worth your time.
PrivacyEngine offer a wide range of consultancy services for all your data protection needs. We also specialize in US Data Privacy, with years of knowledge and experience. To learn more about how we can offer you assistance, click on the button below and fill out the contact us form. A member of the team will reach out to you with further details.