This month, President Joe Biden joined the push for a federal privacy law. Writing in the Wall Street Journal, Biden took aim at Big Tech and urged lawmakers to come together, hold tech companies accountable, and pass federal legislation to codify consumer privacy rights.
“We’ve heard a lot of talk about creating committees. It’s time to walk the walk and get something done,” Biden declared. After watching so much fragmentation at the state level, it’s exciting to see POTUS advocate for unified, federal action.
Attacks on Big Tech companies poll well, and the cynical reader might suggest that to be Biden’s primary motivation. However, data privacy truly is a bi-partisan issue, even if the parties differ on how it should be implemented. Commonsense regulation around a citizen’s right to privacy can be balanced with businesses’ need for growth. Rules and frameworks can create the certainty that the private sector needs to thrive.
Will Biden’s advocacy affect federal privacy law progress?
It’s possible—in theory, at least—for Democrats and Republicans to find common ground on privacy issues. Republicans would love a new reason to go after Big Tech companies, and Democrats are eager to do more to protect consumers’ individual privacy rights. In reality though, we should expect continued gridlock. (After all, the quickest way to get Republicans to oppose legislation is to tell them a Democratic president is eager to sign it!) Despite common ground, there are thorny disagreements between parties:
- Lawmakers would need to come to agreement on preemption of existing U.S. state privacy laws, a challenging task amidst so much state-level movement (5 passed laws and counting, with the latest and generally the strictest being CPRA in California) with progressives wary of undoing their hard-won state regulations
- Republicans are adamantly opposed to the idea of private right of action against businesses, which would allow consumers to individually file suit if their privacy rights are breached.
This doesn’t mean businesses should ignore Biden’s op-ed. By talking about privacy, Biden is helping to keep the spotlight on the issue. This will increase consumer awareness of privacy issues, and may also spark new state-level regulatory initiatives. We’re unlikely to get a federal privacy law anytime soon—but Biden’s op-ed raises the stakes as organizations seek to live up to consumer expectations, and navigate the tangled reality of state-by-state privacy regulations.
Would a U.S. federal law mean less complexity for businesses?
Perhaps you’ve been hoping a federal law will free your business from the burden of managing a complex patchwork of regional privacy rules. When you’re operating across multiple jurisdictions, each with their own standards and requirements, it can be tough to find a path forward.
In theory, a federal standard might help to resolve that, creating a single rulebook for U.S. businesses. But not so fast:
- The federal law may be tougher than state levels. Draft legislation now circulating in DC suggests that a federal law might actually increase the complexity of managing data privacy across large organizations, requiring a deeper understanding of where personal data is flowing, and creating onerous new requirements in areas such as data discovery, classification, and purpose limitation by data type. (Especially in a post-Dobbs landscape, data type—such as location data—is receiving extra scrutiny.)
- There’s no guarantee that a federal law will preempt existing state laws. It’s entirely possible, and perhaps even likely, that any federal rulemaking would create a floor, but not a ceiling. That would leave businesses having to comply with complex federal rules, while also complying with any state privacy rules that go beyond the federal framework.
- Sector-specific privacy laws won’t go away. Covering areas such as healthcare, children’s privacy, and more (HIPAA, GLBA, COPPA), it’s pretty clear that even with a federal privacy law, businesses would continue to have plenty of compliance headaches. When it comes to data privacy, the arc of history bends toward increased regulatory complexity — and that will continue to be true, regardless of whether Congress heeds Biden’s call for federal legislation.
For more about the federal privacy law, read Learn from the ADPPA: 3 key data privacy legislation trends.
State-by-state regulations are here to stay
The truth is: for most organizations, there may never be a simple privacy standard that can be applied once to cover them in all possible jurisdictions and circumstances.
It’s generally accepted that of all the state laws, California has enacted the strictest legislation. Therefore, many businesses are treating California’s privacy laws as a de facto federal standard, assuming that if they abide by the Golden State’s stringent rules, they’ll automatically be in compliance with other states’ regulations.
Unfortunately, this approach isn’t foolproof. The state-by-state rules don’t overlap perfectly, and there is no single state rulebook that meets or exceeds the requirements of all other states. For example: complying diligently with California’s legislation won’t cover you against Colorado’s different, GDPR-style consent requirements.
Organizations have a choice to make: keep on building (and rebuilding) their privacy infrastructure each time the rules change—or find a solution that makes it possible to flexibly cope with a long list of state-by-state rulebooks (or, for that matter, new federal laws) without struggling with a massive administrative burden.
Creating a path to sustainable compliance
At Ketch, we’re making it easier for companies to create this sustainable, responsive approach to privacy compliance. A few key steps we’ve taken:
- A flexible platform for compliance. Using our solution, businesses can rapidly implement state-by-state, national single-standard, or hybrid approaches according to their own unique needs. A company might choose to apply a single national standard for data deletion requests, for instance, while still using granular state-by-state policies for consent notice and collection.
- Consumer privacy choices are enforced across your data ecosystem. Ketch has built the APIs and connectors that ensure when people make a privacy choice, it’s reflected and enforced across your data ecosystem, including your vendors and service providers. If a consumer allows you to use their data for analytics, but not to target advertising, we reflect that choice across all the systems that manage those functions.
- It all works together. Businesses need to know where their sensitive and personal data is. This process of data discovery and classification needs to be fully integrated into your privacy management software to enable easy, efficient management of DSRs, automated risk assessments, and automated and always-on risk reporting and remediation.
We think this is a smarter way to navigate the complexities of today’s regulatory patchwork. But it’s also a smarter way to prepare for the next generation of web services — and the future of the data economy itself.
The end goal: ethical and responsible use of data
Privacy, after all, is just the tip of the spear when it comes to the bigger question of how to use data ethically and responsibly. The privacy systems we’re now building, in other words, shouldn’t just be answers to the specific challenges posed by individual pieces of legislation. They should be conceived of as the reference architecture that will allow us to unlock the full value of our data in scalable, sustainable, and ethical ways.
That’s something consumers are increasingly demanding in ways that go beyond the strictures of any given rulebook. Consumers now know that their data has value, and while they’re willing to exchange that value to receive improved services and other benefits, they still want their autonomy and data dignity to be respected along the way.
Legal and regulatory compliance will always be important, of course. But it’s end-users, not regulators, who are emerging as the key driver of responsible data practices. Ultimately it will be consumer expectations — not the White House, Congress, or even state regulators — that decides the future of data privacy, and compels businesses to build smart, purpose-driven data privacy solutions.