US Privacy Legislation: What’s Coming and What Should Companies Do To Prepare?

Posted on 2nd March 2020


Alexis Serfaty
Policy Director, Asia & US

On 13 February, US Senator and former Democratic Party Presidential candidate, Kristen Gillibrand introduced legislation (the Data Protection Act) that would establish a US Data Protection Agency (DPA) for the first time. The bill would create a DPA responsible for enforcing privacy rules, launching investigations and sharing findings based on consumer complaints, and be tasked with fostering digital innovation in the US.

Senator Gillibrand’s bill is the latest regulatory initiative on consumer data. Momentum has been steadily building in the US over the last two years and increasingly in the last several months around the need for comprehensive, uniform, federal data privacy legislation. Amidst this backdrop, what does 2020 (a general election year) foreshadow and what should companies do to prepare?

According to Senator Gillibrand, “the United States is vastly behind other countries…your data is extremely valuable to many companies with unknown motives, who are looking to exploit your data for profit.” This attitude is shared by many of her colleagues on both sides of the aisle in the Senate, as well as in the US House of Representatives. In response, Senators and Representatives of both parties have introduced nearly a dozen proposals for national privacy, embodying very different approaches. To be sure, a veritable “tech lash” permeates, with consumers driven by resentment and fear. But while Americans say they remain “concerned” about privacy and welcome enhanced protections and transparency in theory, they continue to share the most intimate details of their personal lives across a multitude of public domains and platforms.

The reluctance of Americans to sacrifice digital convenience and innovation for more privacy should not dissuade lawmakers and industry alike from making hard choices and working to enact comprehensive but thoughtful legislation aimed at safeguarding consumer information and ensuring transparent corporate policies, all while fostering innovation. It is likely that consumers will increasingly migrate towards companies that embrace data privacy and care while shunning those that do not.

While Congress weighs conflicting proposals, the current regulatory landscape in the US remains a mix of regulation on access to or use of personal data. Without a federal law in place, states are proceeding with their own regulations governing data privacy, that could impose sizable compliance costs on businesses and consumers. Several states have passed various data privacy bills at the state and local level, most notably and with most consequence, the California Consumer Privacy Act (CCPA), in effect since January 2020.

The bigger picture though is that regulations like the GDPR and CCPA are leading the way for other parts of the world to follow suit. They are the beginning of a regulatory privacy wave, evidenced by the dozens of countries that have since introduced new privacy laws and/or tightened existing rules – many clearly modelled on these early efforts – with more to follow suit in the coming months. At least nine US states have proposed legislation similar to the CCPA – including Connecticut, Hawaii, Massachusetts, Mississippi, New Jersey, New Mexico, Rhode Island, Texas – and several more with pending proposals. Worse still, most organisations in the US were not sufficiently prepared for the CCPA and the majority remain so despite the inevitability of future consumer privacy law and regulation. A survey of 200 privacy professionals in September 2019, revealed that only two per cent were comfortable in saying that they were fully prepared.

There is good news though. Companies that take a proactive and protective approach to privacy may find their policies to be a source of competitive advantage. Regulations provide an opportunity for organisations to invest in cleaning up their data stores, improving efficiency and reducing risk in the process. Those that can innovate new ways to personalise customer relationships without violating laws will get ahead of their competitors. In the interim, companies must turn their attention toward state capitals as much as Capitol Hill in an effort to shape data privacy laws to ensure consumer protections are fair and transparent.

With investigations and fines expected to rise in 2020, as well as new regulation due to enter into force, data protection is going to be a fundamental element of doing business in the years ahead. The risk is that after having “survived” the GDPR and CCPA, organisations may relax their efforts both from an operational as well as organisational culture perspective. But more privacy laws are coming, and the public’s awareness of privacy issues will only grow. The GDPR has the merit of having raised awareness across the world, but new regulations following in its wake will only serve to fragment the landscape further. Companies must, therefore, invest the resources to fully understanding their data practices, the types of personal information they collect and maintain, and whether the personal information is sufficiently protected.

Back to document archive