When GDPR went into effect last May, many in the US were wondering whether a regulation like that could pass here. Of course, their reasons for asking that question were vastly different. Privacy advocacy groups (and many individual consumers) lauded the regulation as a step in the right direction. And while it may be, they don’t have to figure out how they’re going to implement GDPR.
States Enact GDPR-Like Regulations
Businesses do, and understandably, they’re somewhat lukewarm to downright hostile about bringing GDPR to our shores. For example, major publications such as The Chicago Tribune, the LA Times, and The Baltimore Sun immediately shut down access to their site to EU-based visitors when GDPR went into effect. Presumably, losing those revenues was preferable to running the risk of being found in non-compliance with the regulations.
On the other side of the spectrum, Facebook, Google, and Apple have called for GDPR-like regulations to be passed in the US. Of course, large organizations like these are more likely to have the bandwidth to comply with the regulations. Being global companies, they should already have systems in place to comply with GDPR anyway. (And not to question their motivation or anything, but support for privacy regulations may help fix the damage done to the reputations of some notable organizations from recent scrutiny of their data management practices.)
States Won’t Wait
You can pretty much count on GDPR-like regulations being proposed in Congress. Whether or not they have a chance of passing depends on how much popular support they receive. As much as Americans are concerned about privacy, there’s strong anti-regulatory sentiment in many parts of the country, and congressional representatives may not be willing to chance it during a (never-ending) election cycle.
There’s also a question of which government agency would administer such a regulation. It’s not an obvious fit for any of the existing agencies, and creating a new agency in the current political environment would be an even tougher sell.
But, for many businesses, it may not matter whether Congress acts or not as states are starting to model local privacy laws after GDPR. For example, California’s Consumer Privacy Act of 2018 gives California residents the right to request that a business disclose the specific pieces of personal information they collect about a consumer as well as the source of that information and the business purpose for collecting it.
Like GDPR, this California law also gives consumers the right to request that a business delete any personal information they collected. Consumers also have the right to opt-out of the sale of their personal information, without suffering discrimination by the business. This law goes into effect on Jan 1, 2020.
Even less regulatory-friendly states like North Dakota are getting in the act. In the last legislative cycle, HB 1485 was proposed to allow North Dakota residents to ask organizations what personal data they have collected and how it has been shared. It would also allow residents to demand that the data be deleted and to opt-out of future data collection. However, before passing the North Dakota House by a nearly unanimous vote, the bill was turned into a study to assess the issue.
More information on California’s law as well as laws passed and pending in other states can be found of The National Conference of State Legislatures (NCSL) website.
IT Security: Not to Be Forgotten
For the most part, state legislators seem to be more intrigued by the privacy aspects of GDPR than the data security clauses. Who can blame them? It’s greenfield territory as the closest federal regulators have ever come to giving consumers control over their personal information is the CAN-SPAM Act of 2003. Even HIPAA, in all its focus on privacy, was enacted on behalf of consumers, and aside from signing a HIPAA statement every now and then, doesn’t really allow individuals to get involved in how their data is managed.
Nevertheless, IT security is a vital part of GDPR compliance and many states are simultaneously looking at adding or enhancing data security regulations. According to the NCSL, twenty-five states have data security laws on the books that govern the security of personal information by private sector entities. That’s double the number of states that had such laws in 2016.
So, while regulatory fervor at the federal level has cooled somewhat, states haven’t gotten the memo, and many are enacting their own legislation. In some ways, this is more troublesome for businesses than federal regulations because it requires an organization to keep track of regulations in all states in which it does business.
So, what’s an organization to do? Our first piece of advice is always to ensure you have proper legal counsel when it comes to deciphering the web of regulations governing data security and privacy. Beyond that, ensure you work with qualified providers who are experienced with privacy and security regulations at both the state and federal level. Whether you’re a small or midsized business or a Fortune 1000, this is not something you’ll want to navigate on your own.
Contact Connectria for more information.