The EU General Data Protection Regulation (GDPR) came into effect on the 25th of May 2018. Shortly afterwards, the EU data protection authorities received more than 95,000 complaints from citizens. EU consumers became more willing to transact with EU businesses because they have the legal means to enforce their privacy rights. Thus, the enhanced privacy protection provided by the GDPR benefits both consumers and businesses in the EU. (To learn more about the GDPR, see GDPR: Do You Know if Your Organization Needs to Comply?)
The United States still lags behind the EU with regard to privacy protection. Despite a few federal privacy laws covering particular industry sectors and a number of state privacy laws, the United States does not have a federal privacy law that provides consumers with strong privacy protection throughout the entire country. This threatens the economic development of the U.S. economy which is the largest in the world.
In this article, we examine a number of recent developments indicating that the United States may soon adopt a federal consumer privacy law and provide our predictions about the nature of the new law. At the end of the article, a conclusion is drawn.
Recent Privacy Developments in the United States
In April 2018, The Guardian announced that the data consultancy firm Cambridge Analytica collected and used data from about 87 million Facebook profiles, without the consent of the respective users. The majority of them (70 million) were U.S. based. To collect such a vast volume of data, Cambridge Analytica used an app called thisisyourdigitallife. A former representative of Cambridge Analytica (Christopher Wylie) stated with regard to the data breach: “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.” The data breach led to a serious public criticism of Facebook. About three-quarters of the U.S. households using the internet became concerned about privacy and security risks. Shortly after the breach was discovered, Mark Zuckerberg, the CEO of Facebook, was requested to testify before the U.S. Congress.
In July 2018, the White House noted that it was intending to work with Congress on “a consumer privacy protection policy that is the appropriate balance between privacy and prosperity.” The Information Technology Industry Council, an organization representing the major tech companies, appreciated the efforts of the White House and stressed that the United States has the opportunity to create a new privacy paradigm for the digital economy and avoid the current patchwork of privacy laws.
In the past year, U.S. senators proposed at least two data protection bills. First, in September 2018, congresswoman Suzan DelBene introduced a bill imposing various privacy requirements on companies, including, but not limited to, (i) requirements to provide consumers with privacy policies in “plain English” and (ii) requirements to obtain the consent of consumers before processing their personal information. Second, in December 2018, a group of 15 U.S. senators introduced the Data Care Act. If adopted, the Act will require companies collecting personal data from users to take reasonable steps to protect it. Brian Schatz, a U.S. senator who sponsored the draft law, explained the rationale behind the Act as follows: “People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them.”
In April 2019, a high-level EU official (Vera Jourova) met with Trump administration officials and U.S. lawmakers and told them that the U.S. must move towards protecting the privacy of consumers.
Speculations About the Nature of the New Law
Taking into account the success of the GDPR and the trend of individual U.S. states to adopt laws resembling the GDPR, we can expect that the new federal privacy law will also follow the GDPR framework. This means that it will likely require companies to: (i) collect only data that is strictly necessary for accomplishing legitimate purposes; (ii) publish comprehensive privacy policies; (iii) ensure that they have legal grounds for processing consumers’ personal data; (iv) use the personal data collected from consumers only for specific and limited purposes of which consumers are aware; (v) ensure that consumers can easily manage (e.g., access, edit and delete) their personal data; (vi) take up-to-date technological and organizational measures to protect consumers’ personal data; (vii) report personal data breaches to the competent data protection authorities; (viii) retain consumers’ personal data for a limited period of time only; and (ix) transfer personal data outside of the U.S. only after implementing appropriate safeguards. The failure of a company to comply with the requirements of the new law is likely to be subject to heavy fines.
We can also expect that the new law will establish one or more federal data protection authorities which will be responsible for enforcing it. The entry of force of the GDPR did not lead to the establishment of new data protection authorities in the EU because such authorities existed even prior to the GDPR. The previous EU data protection law (Directive 95/46/EC) required each EU country to have one or more public authorities responsible for ensuring privacy compliance. At present, federal privacy matters fall within the ambit of the Federal Trade Commission (FTC), but the complex task of administrating a major federal consumer privacy law will likely require the creation of a new governmental entity. The entity may, for example, be called the Federal Privacy Commission (FPC). (For more on privacy, see 10 Quotes About Tech Privacy That'll Make You Think.)
A new comprehensive U.S. federal privacy law may increase the confidence of consumers in e-commerce, thus further accelerating its growth. However, if the new law governs consumer privacy matters in a rather loose manner, it may bring more harm than benefits to the U.S. citizens. This is because it may override some of the strict state privacy laws, such as the California Consumer Privacy Act of 2018. Similarly, the U.S. Federal Arbitration Act prevented states from regulating arbitration agreements.