States Stepping Up to Address Data Privacy
Incredibly, the United States still lacks overarching regulations around data privacy. But it is proving to be an issue that could be addressed on a state-by-state basis, with many states already stepping in to try to protect the privacy of individuals.
The concept of data privacy regulation is popular with Americans, as 66% of people surveyed by Akamai said they want the U.S. to adopt GDPR-style rules, according to an article by GovTech. A separate survey by SAS that is mentioned in the same article found 67% of those polled believe the government should do more to protect their privacy. Moreover, corporate data is growing at a rate of 60% per year, according to PWC, and shows no signs of slowing.
By the Numbers:
- 66%: Share of Americans who want GDPR-style rules, according to Akamai
- 67%: Share who believe the government should do more to protect their privacy, according to SAS
Despite recent meetings by the U.S. Senate Committee on Commerce, Science & Transportation to discuss data privacy, there is little hope for a nationwide solution anytime soon. The GovTech article notes that, even if Congress acted today, it would be years before anything would actually take effect. That’s leading many to point to states for potential solutions, knowing they are more agile in their lawmaking.
“Where gaps are identified in the laws that aren’t covered by federal regulations, states should have a duty to protect their residents. This includes passing stricter laws on privacy and enforcing these laws to protect their residents’ rights. States should develop guidelines and standards along with providing paths to assurances that organizations should be required to abide by in protecting their consumers’ data privacy.”
-Jay Trinckes, principal with security consultancy NCC Group, to GovTech.
California is the most prominent example of a state taking action.
The California Consumer Privacy Act (CCPA) goes into effect in 2020 and will give residents the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Opt out of the sale of their personal data.
- Access their personal data.
- Utilize services, even if they exercise their privacy rights.
Elsewhere, in Arkansas a chief privacy officer is working to streamline data management by developing controls across state agencies regarding information use, according to the GovTech report.
And as we mentioned earlier this year, a Massachusetts State Senator introduced a bill akin to California’s CCPA, proving there is yet another state with an appetite to improve data privacy standards.
As a helpful resource, the news site Data Protection Report has a rundown of recent laws passed.
No American laws have gone as far as Europe’s General Data Protection Regulation (GDPR), which went into effect just over a year ago (ready to update your GDPR process? Visit our GDPR Compliance page to learn more). But everyone from government agencies to the general public is becoming more sensitive to data privacy concerns, which is a promising sign for action. For example, the Government Accountability Office published a study that was commissioned by the House Energy and Commerce Committee, making recommendations that seemed to align with GDPR.
To be sure, it is far from a slam dunk that states will be able to implement effective regulation.
“Even states that restrain their ambitions may face hurdles in trying to regulate data privacy, said Kristina Podnar, author of the new book The Power of Digital Policy. They may experience:
- Pushback from businesses, who see privacy requirements as a burden, and who find it hard to comply with rules that vary from state to state.
- Lack of expertise in defining and enforcing digital privacy.
- Uncertainty about what the legal foundations ought to be for privacy laws. States do not create rules in a vacuum: National and local governing frameworks must also factor in.
- Technical hurdles: States may, for example, rely on Social Security numbers being listed in the memo line of a check to match up payments with taxes owed. New reporting and payment systems may be needed.”
The GovTech report notes that state IT leaders should be central to the discussions and ensuring the legislation is realistic.
Taking action for data privacy
Of course, it is not wise for organizations to sit back and wait for policymakers—state or federal—to take action.
As more states begin crafting legislation addressing consumer data privacy, Heureka recommends that companies draft privacy policies to cover current laws but also with an eye toward state laws such as California’s. Heureka provides a flexible platform which is helping companies around the globe search, locate, report and remediate on unstructured data. There are three specific areas where Heureka provides value according to existing and drafted state law:
- Heureka helps identify consumer data in unstructured data, regardless of where it is stored
- Heureka provides reports on location and type of stored or collected data
- Heureka provides a single tool to remediate files (request to delete) on desktops, laptops or file shares.
Let us show you how easy it is to manage your data privacy by scheduling a demo.