A recent article on SecurityInfoWatch.com from Stephenie G. Anderson Scialabba, a Pittsburgh-based attorney at the law firm of Eckert Seamans Cherin & Mellott, LLC. and Sandy Garfinkel, a business litigator who serves as the chair of Eckert Seamans Cherin & Mellot, LLC's Data Security & Privacy Group, points out that as more states around the country enact their own legislation related to privacy, the more headaches figure to result for organizations required to sift through myriad nuisances to comply.
With the most recent laws passed by Virginia being a hybrid of the California Consumer Privacy Act (CCPA) and the EU’s landmark privacy legislation, the General Data Protection Regulation (GDPR), the privacy experts both warn that, “the majority of concerns will relate to reconciling the new Virginia requirements with those of CCPA and GDPR. Having to segregate data, and the use of that data, based on competing privacy laws will complicate a company’s business activities and may make certain types of information processing less appealing. CSOs and CISOs are understandably worried about the logistics of complying with differing privacy standards at granular levels. For instance, GDPR, CPRA, and VCDPA (unlike CCPA) each create a category of 'sensitive information' and establish additional consumer rights and business obligations in connection with its use. The extra level of categorization and obligation will require companies to fragment data into general categories of sensitive information and non-sensitive information.”While the U.S. does have several industry-specific privacy mandates like HIPAA, the Gramm-Leach-Bliley Act and FCRA, there is no uniform or singularly enforceable set of data privacy guidelines businesses, agencies and organizations in the country with which any are required to comply. With the new Congress and a new administration, suddenly there are serious discussions about comprehensive privacy legislation in the country. There are different bills currently under debate in the House and the Senate, so Congress will have an opportunity to set nationwide standards when it comes to data privacy. But with a growing number of states moving ahead with consumer privacy legislation, the clock is ticking for the federal government to act.
Data privacy laws recently passed in Virginia (CDPA) and California (CPRA) both conveniently go into effect in 2023. That gives Congress enough time to set national rules on data privacy instead of relying on a patchwork of state-by-state regulations.
But states like Minnesota, Oklahoma and Washington are moving forward with similar privacy laws and that could complicate the push for federal standards.
SecurityInfoWatch Security Media Editorial Director Steve Lasky provided Dan Clarke, president at Truyo, a privacy rights platform backed by Intel, an opportunity to weigh in on the prospects of data privacy legislation at a federal level. Dan discusses whether he thinks Congress can reach an agreement before the next state puts in place their own rules and details why a patchwork approach to privacy policy will only make things more challenging for businesses.
SIW: Why are federal standards on data privacy necessary? What is the benefit?
Clarke: Data privacy is important to most citizens. People want to know their data is protected and especially want to know how it is used. Consumers want businesses to have standards and accountability. At the federal level, it’s particularly important that we have unified standards that are enforced in a consistent manner. Unfortunately, we don’t have that today. Having universal legislation is beneficial to companies because they don’t have to think about different requirements from different states. This is and should be important to all Americans. The benefits are blanketed to both companies and consumers.
SIW: What are the odds that Congress can reach an agreement? How can they decide by 2023?
Clarke: I’m a huge proponent of federal legislation, but I don’t see it as a priority for this administration. I think they’re focused on security and on finding a new privacy shield. Yes, there are some potential bills, yet I’ve never seen them reach the level necessary to actually pass, but I’m cautiously optimistic and hopeful.
SIW: What might be included in federal regulations and what would that mean for organizations?
Clarke: What we’ve seen is a huge amount of consistency. If you look at the meat of any privacy bill, there’s an intent for transparency and minimization. It’s a focus on the right of a consumer to see their information and understand how it’s used, while also giving them the ability to request it not be sold or deleted. That’s the underlying fundamental of really any version that we’ve seen. What differs is the private right of action: whether it’s preemptive and who enforces it. None of these really impact the business directly unless there’s a federal standard that sets the floor and then the state can stack on top. It’s more likely that it would be preemptive and consistent. If a company is ready for CCRA and Virginia’s privacy act, you’ll most likely be ready for a federal act.
SIW: One of the provisions of a potential Federal Data Privacy act states that it regulates the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of personal data; so how does this affect public law enforcement agencies with the growing use of broad-based video surveillance?
Clarke: Virtually every privacy law, whether at the state level or federal level, wouldn’t have an impact on law enforcement or branch of the government because those organizations are exempt. This is about consumer data and protection of privacy. While the administration seems to have an interest in regulating the public use, law enforcement use, and government use of data, that’s not what we’re talking about here.
SIW: In the same vein, can you discuss and assess the impact this act might have regarding the expanding use of facial recognition software in both public and private spaces?
Clarke: Typically, facial recognition is included in the definition of private information. Under CPRA and Virginia’s act, this is considered biometric information which rises to the level of sensitive information. Under CPRA there is a concept of personal information and a concept of sensitive information. Sensitive information refers to things like credit card information, financial information, religious orientation, and in addition to that, biometric information. Laws will deal with this either separately or at least try to address them as sensitive elements under privacy laws.
SIW: Most privacy and data protection laws have the noble aims of making us and our personal information safer – but overreach in the detail is a common side effect of attempts to do the right thing. Can you discuss the possible negative side effects like the additional burdens and costs of organizations to comply; the possible stagnation of technology; and the clashing of interests like undermining the use of video surveillance to protect the public?
Clarke: There are always two sides to every new compliance requirement. There are always additional burdens on organizations and potential clashes like the interest in using video surveillance to protect the public. Generally speaking, these privacy laws don’t try to address surveillance because government entities are effectively exempt. The negative impacts, I think, are fairly insignificant because most organizations already have to comply with CCPA, the new version CPRA, and Virginia’s VCDPA. It’s much more burdensome on an organization to have to address a myriad of state laws.
This is likely to be the case if we don’t get federal action. I think the burden is much lower if we can get some type of federal action. The most important thing is for the federal government to exempt really small businesses, like most of the privacy laws that contain a provision to protect these small businesses. Larger organizations already effectively have to comply with this, because most do business with either California or Virginia, or another state that’s likely to pass a law like Florida, New York, Colorado, and Washington state.
