What to watch for in U.S. Privacy Legislation
The push for U.S. Federal privacy legislation is gaining traction in Washington D.C. from both sides of the aisle. While there is consensus that there is a need for such legislation, the devil is in the details. There is common ground that a bill must, at a minimum: require transparency about how the data is being collected, used, shared, stored, retained, and deleted; provide users the ability to move their data; require notice and consent; breach notification standards; and require the adoption of reasonable cybersecurity measures. However, what these minimum requirements actually require is up for debate and then there are issues like pre-emption of state protection, authority for enforcement and what enforcement will look like, private causes of action, and limits on use and retention, etc.
In order to really understand and debate these issues it is important to focus on the goal of the legislation. Is the purpose of comprehensive legislation to protect consumers or provide a framework for companies to comply with in a holistic way? I believe it needs to do both. We need to stop drafting legislation in such vague terms like “reasonable cybersecurity measures” and actually understand and define what reasonable means. We need to agree that all U.S. residents shall have the same rights when it comes to privacy protections. This way the individuals will understand more about their data. Companies will then be able to understand what is needed to protect that data and focus on building comprehensive compliance programs instead of patchwork systems with loopholes and exceptions.
The U.S. should take the framework of the GDPR and improve upon it. The regulations raise so many questions and scenarios that, if anything, it has taught us that we need to pay attention to the details and be clear about what is required and why these requirements are so important.
Written by Emily McNeeley, CIPP/US, Attorney, Intuitive Edge Team