As other countries continue to strengthen their data privacy laws and regulations, the US has been slow to adopt legislation at the federal level. Disjointed legislation pertaining to specific regions and vertical sectors like California’s Consumer Privacy Act (CCPA) and the Gramm-Leach-Bliley Act (GLBA) for financial services is filling the gaps.
The surging adoption of AI, however, is raising public interest, highlighting just how much personal and professional data is being handed over to companies. As recent comments from the White House show, legislation around bolstering data privacy could be brewing sooner than we think.
Data Privacy Legislation Around the World
Historically, the US is years behind other countries when it comes to data privacy. Let’s take a look at some laws from around the world to see what the US could potentially incorporate in its own legislation.
The EU
Likely the most well-known piece of privacy legislation, the General Data Protection Regulation (GDPR) of the EU, came into effect in 2018. The law obligates organizations anywhere that target or collect personal data related to EU citizens to comply with the privacy and security standards laid out in the regulation.
The fines for not complying with GDPR are high and can reach around €20m or 4% of company revenue, whichever is higher, also granting those affected the right to seek damages. With this legislation, personal data is defined as any information that can directly or indirectly identify an individual, whether as simple as a name and email address or as specific as web cookies and political affiliation.
Many countries have created similar laws inspired, or sometimes entirely copied, from GDPR. It seems reasonable for the US to adopt some of this language, particularly around how personal data is being defined and instituting fines against non-compliant institutions.
The US and EU do, however, differ greatly in their approaches to privacy. While the U.S. has often strayed from instituting strict legislation around the right to privacy, the EU has had some form of regulation in place since the 1950 European Convention on Human Rights.
Brazil
Brazil’s General Personal Data Protection Law (LGPD) was passed in 2020. The goal of this legislation was to unify around 40 different laws regulating how Brazilian data is being processed. While largely inspired by GDPR, where LGPD differs is that it is not limited to organizations above a certain size and offers fewer exceptions for compliance focused only on journalistic or artistic endeavors or those relating to national security.
Another key differentiator is where it expands the familiar ‘right to be informed’ principle seen in GDPR to include being informed on what happens if you refuse to consent to share private data. While this may seem minor, it shows Brazil’s efforts for further transparency with its citizens.
Given the pride for US small businesses, it seems unlikely that the country would institute something requiring organizations of all sizes to comply. It would be smart for the US to include further information about the right to be informed as the curiosity of US citizens grows around how their data is and isn’t being used.
India
The Indian Digital Personal Data Protection (DPDP) Act of 2023 was passed to provide guidelines for processing the digital personal data of individuals. Similarly to GDPR, DPDP applies to organizations within India and international firms who process any data of Indian citizens.
One way in which DPDP differs from those that have come before it is that many believe it gives the government total access to individuals’ personal data. This element of the act has received a lot of criticism, claiming it was too controlling. Something like this is unlikely to be included in any US data privacy legislation as citizens would likely be against the federal government having that level of access to their data.
The Path Forward for the US
Each of these countries’ regulations has learned from those that have come before it and the US is likely to do the same. It’s plausible the US will take its patchwork of existing legislation and develop something on a federal level. It is also possible the US will borrow language and practices from laws like GDPR and DPDP to develop legislation.
One area in which I predict the US will differ in any federal data privacy legislation is when it comes to what data is being considered. While other countries' laws target both organizations within the country's borders and any foreign organization using citizens' data, the US will likely be hesitant to enact that level of control, not wanting to harm any of its international trade relations with countries that may not be willing to comply.
However, even if legislation does materialize in the US, it will be a slow and tedious process before anything goes into effect. In the interim, a large responsibility will fall on businesses to ensure that the data they collect and process is being protected.
Organizations manage and process extraordinary volumes of data, including everything from customer data and company IP to employee and third-party partner information. The onus is on US businesses to take the steps now to protect and respect data privacy in the future.
Unfortunately, too often, organizations aren’t taking the necessary precautions, relying on outdated and reactive cybersecurity measures. Instead, businesses must take an increasingly data-centric approach to cybersecurity. This includes maintaining continuous visibility and control of all digital assets – whether they’re in the enterprise or traveling outside the perimeter – with real-time insights and the ability to instantly revoke permissions.
2024 may be the year the US takes meaningful steps on data privacy, which would be a highly beneficial development – but organizations don't need to be passive in the meantime. We can all make strides to ensure data is better protected today.