Have you heard the question, “Is America a melting pot or a salad bowl?” Let’s apply that concept to data privacy laws. Today, in the U.S. there is no consistent, national data privacy law. Instead businesses are trying to make sense of a ‘mixed salad’ of different regulations and laws enforced by individual states and industry-based regulatory bodies.
The Need for Nationwide Data Privacy Laws
As technology continues to evolve and effect so many facets of our lives, the digital environment really demands an overarching framework for ensuring and enforcing data privacy.
Eliminate Confusion & Inefficiency
Business today do not operate within borders. Vendors, suppliers, customers, and business associates all work to stretch operations across state and international borders. Often, they also operate or rely on business in multiple industries. Having to navigate various federal, state, and industry-related regulations creates confusion and inefficiencies for entities, assessors, and regulatory bodies.
Avoid an Excessive Compliance Burden
Similarly, with multiple standards in force, the reporting and compliance process requires more time, effort, and money from entities.
Because GDPR came first (in effect since May 2018), many American and multinational companies have already made the effort to reach GDPR compliance and continue business with their European customers. In order to avert further compliance burden, U.S. data privacy legislation should try to stay close to the standard already set by GDPR.
Keep Regulations from Becoming Obsolete
U.S. laws for data privacy that are currently on the books were written in the past and were designed to regulate a different environment. Now, we need regulations that are flexible enough to address developing technology and still be applicable in the future.
Strengthen Privacy Protections
Gaps and overlaps are a natural result of multiple regulations. In some instances, they are even in conflict with each other. Yet, in an era when personal data is increasingly vulnerable, protecting privacy is more critical than ever. Regulations should be comprehensive and clear – covering all types of personal information in all forms – in order to provide the strongest level of protection possible.
U.S. Data Privacy Laws
There is no federal data privacy law like GDPR in the United States. There are some national laws that have been put in place to regulate the use of data in certain industries.
- 1974 – The U.S. Privacy Act which outlines rights and restrictions regarding data held by US government agencies.
- 1996 – Health Insurance Portability and Accountability Act (HIPAA) which regulates privacy and security in the healthcare industry.
- 1999 – Gramm-Leach-Bliley Act (GLBA) which governs how consumers’ nonpublic privacy information is collected and used in the financial industry.
- 2000 – Children’s Online Privacy Protection Act (COPPA) took a first step at regulating personal information collected from minors. The law specifically prohibits online companies from asking for PII from children 12-and-under unless there’s verifiable parental consent.
Now we find ourselves in the year 2020. And there has been now significant progress towards a unified framework – across states and industries – of data privacy best practices in 20 years. The FTC has been the only guiding force in penalizing tech and social media conglomerates that have misled users about how their data is collected and sold to third parties.
But fines are not an effective form of regulation and they don’t help companies to understand and implement best practices. What’s needed is a framework that guides entities in developing effective data privacy policies and practices – from the ground up. Not just punishing violations – from the top down. Because the truth is, we may here about the cases involving Facebook and Zoom, but how many other instances of ineffective security are going unnoticed?
Related article: What Impact Has GDPR Made Since It Came into Force?
Difference Between U.S. and EU Data Privacy Laws
We can’t make a fair comparison because there isn’t (yet) a U.S. equivalent to GDPR. Essentially, the EU respects privacy as a fundamental right of citizens. GDPR is a comprehensive personal data protection framework designed to safeguard those rights. It governs companies operating in EU member states as well as international entities interacting with EU residents.
Some proposed regulations include the American Data Dissemination Act, the Consumer Data Protection Act, and the Data Care Act. At this point, however, no proposal has gained enough support in Congress to become a new law.
The closest national law in vigor would arguably be HIPAA which was engineered to protect patient privacy and healthcare information. Yet, we lack regulations that cover consumer privacy and data security in all industries.
The Un-United States of Data Privacy
In recent years, we’ve seen states introduce their own consumer data privacy regulations. The Californian Consumer Privacy Act (CCPA) and the Massachusetts Data Protection Act are two strong examples. Other states have already enacted their own data protection laws that apply to all businesses. These states include:
- New Mexico
- Rhode Island
Each of these states have developed and adopted their own data protection laws that require companies that hold personal consumer information of state residents to protect that information. Thus the ‘salad bowl’ conundrum. Without a melding of the governing forces, each state is left to act alone, and compliance becomes confusing and inconsistent.
Why Do Multinationals Need to Care About GDPR Compliance?
Non-EU affiliates associated with a multinational business need to care about GDPR because they, most likely, have customers residing in an EU country. If the EU consumer data that multinationals collect during transactions is accessible from one central system to affiliates around the world, it is imperative that these companies understand how the data flows to ensure that cross-border data transfers comply with the GDPR requirements.
Another highly important reason to make GDPR compliance a priority is that non-compliance leaves multinationals subject to substantial administrative fines that designated data protection authorities (DPAs) are given authority to impose if they find cause. The penalties for GDPR non-compliance are four percent of the company’s worldwide gross annual revenue or €20 million. Such penalties are applicable even if the responsible entity is merely a subsidiary with only a few employees, making it essential that multinationals make sure that any subsidiaries are on board, as well.
Additionally, DPAs hold the power to bar or ban data transfers from the EU to the U.S. parent corporation if they discover a non-compliance issue.
Are You Confused About Data Privacy Compliance?
Talk with I.S. Partners, LLC. We can help your organization determine which regulations apply to your activities and build a strategy for achieving full compliance.