Data privacy has become a global concern over the past few years, given several new regulations that govern the way personal information is acquired and managed. Though individual states have recently passed and enacted privacy legislation and both Democrats and Republicans have proposed federal bills in Congress, national legislation has yet to gain enough traction for passage. Surprisingly, federal data privacy regulation is gaining momentum, and a standard is likely coming within the next few years—with some variation, depending on the election outcome.
The spotlight on data privacy began with the European Union’s General Data Protection Regulation (GDPR), introduced in 2016. This law fundamentally changed how organizations hold, transmit and process EU residents’ data—regardless of whether they actually operate in the EU. In a departure from past laws, the primary focus was not on how data is secured, but rather why a company has that data in the first place and how it is subsequently used.
The GDPR’s success in protecting EU residents’ data inspired data privacy laws in several U.S. states, including the Nevada Privacy Law, which took effect on October 1, 2019 and the California Consumer Privacy Act (CCPA), which became law on January 1 of this year.
A federal data privacy law has seemingly been right around the corner for several years, but the tug of war and consequent gridlock between both major U.S. political parties has stalled any potential progress. However, data privacy is an element of the overall 2020 Democratic Party platform and was a core topic for several Democratic presidential candidates. A Joe Biden presidential victory—especially coupled with a gain in Democratic seats in Congress—could make a privacy bill move relatively quickly.
On the other hand, while the Republican Party is traditionally more regulation-resistant from a business perspective, the party is not necessarily opposed to a federal data privacy law—but nevertheless maintains a drastically disparate rationale from the Democratic Party. In addition to the existing state and industry privacy regulations, over a dozen additional states are likely to pass individual laws modeled after the CCPA in either this election cycle or the next, likely creating a domino effect for other states. This web of regulations would create a complex environment for managing data and doing business.
“For those who are regulatory averse, the only thing worse in their mind than a federal privacy law is 50 individual state privacy laws,” said RSM Principal and Leader of National Security, Privacy and Risk Daimon Geopfert.
Practically speaking, as soon as the United States has 10–15 state-level privacy laws, it would already have a pseudo-federal law, which could take a significant toll on businesses, notes Geopfert. The potential for this unofficial patchwork federal law is a nightmare scenario for many businesses, and could create a set of challenging circumstances if it comes to pass.
“It would be hard to do business in the U.S. without bumping into at least one of the privacy laws, because very few companies of any size conduct business in only one state,” commented Geopfert. “Organizations will need to change processes and technology to meet any single law, but guidelines will be slightly different from state to state, which could create a no-win situation where it is difficult to meet an array of slightly different state requirements.”
Therefore, if Trump wins a second term in office, a federal data privacy law of some type is still more likely than many might expect. As we move into the next political cycle, a federal data privacy standard is probably not a matter of if, but when, and to what extent.
The details are likely to vary drastically between laws put forth by the two parties, with the Democratic version more stringent on security controls and privacy and the Republican version more focused on simplifying guidelines for business usage and liability. But some legislation in this space makes too much sense to both parties to not be strongly considered.