The data privacy game is changing, and the United States is experiencing an onslaught of proposed legislation that seeks to set new standards for the handling of user data.
While businesses across the globe are still adjusting to the changes brought on by the EU’s General Data Protection Regulation (GDPR), the US is welcoming laws of its own that will follow the GDPR’s lead and revolutionize the way companies interact with user data.
What can we expect to see from the US legal system by way of data laws? How will they follow the path laid by the GDPR? And what do these proposed pieces of legislation mean for you?
1. How the GDPR is Changing the Idea of Digital Data
GDPR’s mission is to shift the balance of power to consumers when it comes to the use of their personal data.
GDPR compliance is forcing global adjustments in data management – both in the EU, and around the world. Changes include:
- Users must be told in the simplest terms how their data is collected and used
- Users must consent to data collection, and understand what that consent means
- User must be able to refuse consent, and be able to withdraw consent
- Companies must explain why they collect data
- Companies can’t force consent by refusing or limiting services
The US is drawing inspiration from some of these points, with various US states drafting up data privacy laws that include one or more of the above concepts.
2. The CONSENT Act
The Customer Online Notification for Stopping Edge-Provider Network Transgressions (CONSENT) Act is a proposed federal law (S. 2639) that grants stronger privacy rights to users.
You may be asking who exactly is an edge provider, and if you are considered one.
The term edge provider originally evolved to designate big companies like ISPs, Facebook, Google, Twitter, and others, that offer applications and services over the internet, or provide devices for accessing the internet (tablets, phones, etc.).
But in 2014, the FCC expanded the definition of edge providers to include anyone that sends data packets across the internet.
That means if your business provides any online content – an ecommerce store, videos, images, or even just a blog about your organization – the FCC considers you an edge provider.
The CONSENT Act would require the Federal Trade Commission (FTC) to establish an opt-in requirement for consent to the use of sensitive information by those edge providers.
Who Does It Affect?
Anyone with a business website in the United States would be expected to abide by the CONSENT Act, along with big edge providers like Google, Amazon, YouTube, etc.
If you have any content on your site or collect and store any data (which you likely do), CONSENT would apply to your interactions with site visitors and customers.
What Does It Mean for Businesses?
If the CONSENT Act passes, your business website would have to:
- Monitor what data you collect on website visitors
- Get explicit consent before you can use, share, or sell that data
- Refrain from advertising to users based on their data unless they agreed
- Stop using an “opt-out” box for consent and implement a clear “opt-in” process
- Detail data collected and used specifically – don’t bury it in fine print
- Provide a clear mechanism to withdraw consent when a consumer so chooses
3. Social Media Privacy Protection and Consumer Rights Act of 2018
Senate Bill 2728 intends to protect user privacy on social media and other platforms, and would require websites to provide users with a copy of the data collected about them.
The disclosure would also tell the end-user who has accessed their data, whether your employees can access it, and the usage of that data.
Who Does It Affect?
While the title of the bill makes it sound like it’s relevant only to social media platforms, it potentially applies to any website that collects data on site visitors – even though it primarily takes aim at social media outlets.
The legislation is still in flux – meaning outcomes are yet uncertain – but there is heavy lobbying in favor of the compliance scope going well beyond social media platforms alone.
What Does It Mean for Businesses?
If the Social Media Privacy Protection Act passes and the final interpretation includes more than strictly social media outlets, your business website would have to:
- Write your terms of service in plain language
- Show users what data was collected from them
- Give users enhanced access and control over data collected about them
- Set up opt-out and tracking disable services
- Establish a privacy program (includes privacy policy, practices to ensure internal compliance, and an incident response plan)
- Notify users within 72-hours of any privacy violations
4. California Consumer Privacy Act of 2018
The California Consumer Privacy Act of 2018 (CCPA) was set to appear on the ballot this November, but the state’s legislature passed a milder version of it into law on June 28, 2018.
The act grants consumers the right to know what data businesses and edge providers are collecting from them, and offers them certain controls over how that data is handled, kept, and shared.
Who Does It Affect?
This data privacy law applies to any business or edge provider that lets someone in California onto their website or platform, provided that the business meets at least one of the following criteria:
- Annual gross revenues exceed twenty-five million dollars ($25,000,000)
- Annually buys, receives, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more CA consumers, households, or devices.
- Derives 50% or more of its annual revenue from transferring in any manner, including selling or sharing, CA consumers’ personal information to a third party for commercial purposes.
The CCPA does not apply to nonprofits and to state and local government agencies in California.
What Does It Mean for Businesses?
In effect since January 1, 2020, the CCPA requires business to make several changes to their data collection and handling practices, or face noncompliance fines of $750 per person, per violation.
Here are the main measures you’ll need to keep in mind to comply with the CCPA:
- Disclose to consumers the categories of data you collect
- Disclose which, if any, third parties you allow to access data
- Allow CA consumers to opt out of the sale of their data
- Not discontinue or limit use of services to consumers that opt-out of the sale of their data
- Set up opt-in services for CA consumers under age 16
5. Other Potential Privacy Laws
While the laws mentioned above are the most prominent ones coming to the fore in the US, the list is far from being exhaustive.
The Data Security and Breach Notification Act
Proposed in the 2017-18 Congressional session, the Data Security and Breach Notification Act is expected to surface again. The act intends to standardize how data breaches are handled, and would mandate a strict 72-hour notification to affected users.
The Data Acquisition and Technology Accountability and Security Act
This proposal comes from the House of Representatives, and would establish a national standard for breach notification and data security.
As of now, most states have breach notification laws – many of which contradict each other. The US is taking strides to sew this legal patchwork into blanket legislation in order to better protect the private data of internet users.
NYC Secure
Even cities are jumping into the data protection law arena, including New York City with their NYC Secure initiative.
This program aims to protect locals from malicious cyber activity on Wi-Fi and mobile devices while ensuring data privacy.
6. Conclusion
The GDPR has sparked a domino effect in the digital privacy legal sphere. The UK’s Information Commissioner, Elizabeth Denham, said in a recent speech:
There’s a lot in the GDPR you’ll recognize from the current law, but make no mistake, this one’s a game changer for everyone.
And now – the new paradigm of personal data privacy is making its way to the United States. Between consumer concern and building pressure from internationally-raised legal standards, the US is quickly making efforts to improve internet privacy laws by implementing new laws and regulations for the sake of user data privacy and protection.
While these strides ultimately serve to benefit the public, they can be difficult for businesses to keep up and comply with.
The first step to maintaining pace with the changing world of data rights is to keep informed of what’s in store, and stay ahead of the curve.