Estimated Reading Time: 7 minutes
Unless you have been hiding from the news in recent months, you’ve probably seen the writing on the wall for some form of privacy regulation in the U.S.. But will 2019 be the year? With the wide range of predictions from industry experts and our current political environment—you may as well ask your Magic 8 Ball.
Privacy legislation will be complicated and have far-reaching ramifications. We can look at the now eight month old General Data Protection Regulation (GDPR) the EU enacted last May to see that. For good or bad, GDPR will pave the way for future privacy regulations around the world.
But ultimately, we’re still only in the very early stages of understanding how forms of non-human “intelligence” and the proliferation of “mass data-surveillance systems” will impact and shape our laws and culture. Regardless of what new cybersecurity events and regulatory responses unfold in the coming year, it will require time to craft legislation, achieve some level of adoption, and put it up for a vote. And that’s only if we can reach a consensus and identify a relatively clear path forward.
So with that in mind, our Magic 8 Ball reads… “Don’t Count on It” in 2019, but “All Signs Point to Yes” over the next few years.
Current U.S. Trends in Data Privacy and Regulation
Some of the world’s largest social media platforms and tech giants came under fire in 2018 following a number of high profile data breaches and privacy scandals that surfaced. Big names like Facebook, Twitter, Google, Apple, Amazon, AT&T, and more appeared before Congress last year in what is just the first round of discussions regarding privacy regulation. After avoiding congress for years, these companies are now looking for input and getting involved in high-level discussions to map out how to implement effective legislation without crippling their own tech initiatives and online advertising revenues.
So, rather than a question of when, we’re focused on understanding the significant technology trends… Where and how are they being implemented? How are they impacting and shaping industries and personal rights (such as privacy)? And what are the public responses coming from organizations and major companies?
Data privacy and surveillance capitalism have become the new trigger words for discussing the coming tech inquisition. Companies with novel new apps and free services rely on consumers’ lack of caring about how their data is used, but we’re beginning to see just how effective mass data can be in targeting and segmenting us based on our daily traffic patterns. And what are the ramifications of this data falling into the wrong hands? Of particular concern, there are major data aggregators who suck up all of this personal data and sell it off for profit. Who is responsible when that data is stolen or compromised? What laws will be put in place to publicly acknowledge breaches and repair the damage done to individuals who become the victims of personal attacks? Take the Equifax breach from 2017, where the data of nearly 150 million people was stolen.
Privacy is also a moving target, as cyber criminals continue to look for new methods to steal information, while at the same time some legitimate companies seek ways to sell our valuable personal data to third parties.
What’s Coming Next?
There’s still plenty of speculation as to what’s in store for possible new laws pertaining to digital privacy. Here are the general directions we think it will unfold.
The California Consumer Privacy Act
In 2018, California became the first state in the U.S. to pass any form of general privacy act. While this act doesn’t go into effect until 2020, advertisers, online businesses, and device vendors are already scrambling to adjust. In fact, anyone who wants to take part in the California economy should take note and follow along with the coming changes. The law includes new requirements for collecting and storing data in state or for outside companies or agencies that work with Californians. This also includes digital companies that don’t have a physical presence in the state. One rule allows anyone age 16 or over to opt-out of any sale of their personal data, and another requires the parents of anyone 15 or younger to provide an opt-in for the sale of info. Companies will also be required to share any data they have for a particular individual upon request. Each consumer must also have the ability to trigger the deletion of their information from the company’s internal systems.
California Will Be A Role Model
While a unified privacy policy, or an American version of a GDPR is not in our immediate future, industry and privacy advocates in individual states are looking at California’s regulation and the public response in order to determine their own course of action. Vermont, Texas, New York and other states have begun taking their own steps towards developing data protection policies. Depending on which groups have the most impact on the policy creation (i.e. lawmakers, tech industry lobbyists, consumers, or state officials), it’s likely to take on different forms.
Just earlier this month, Los Angeles city attorney sued The Weather Channel app for “fraudulent and deceptive” practices outlining that the app maker didn’t properly inform users about how private location information was used by the business. As one of the most popular weather apps for iOS and Android, The Weather Channel app has over 45 million active monthly users—making this lawsuit a very public display of data privacy misuse. The lawsuit states:
“For years, TWC has deceptively used its Weather Channel app to amass its users’ private, personal geolocation data — tracking minute details about its users’ locations throughout the day and night, all while leading users to believe that their data will only be used to provide them with ‘personalized local weather data, alerts and forecasts.”
– Los Angeles City Attorney
Unfortunately, we’ll continue to see lawmakers responses and preparations to coming regulation. Until the CA privacy act takes effect in 2020 (and for at least several months thereafter) we won’t know to what extent lawsuits and implementations will impact all of us. In the meantime, local, state, and even federal policy makers will be looking at how California handles all of it.
Public-Private Partnerships and Involvement
For any large-scale, top-down regulation it will be critical that policy makers involve a range industries, as well as both public and private sectors in discussions. Lobbyists and government agencies The tech industry has pointed to the example of HIPAA as something to avoid, a top-down patient privacy policy that began in the late 1990s. Here, after long and laborious negotiations, healthcare and government officials devised regulation for the medical industry for rule changes for data privacy and protections, including significant penalties for non-compliance. HIPAA is looked at as sprawling regulations challenge that hindered growth and innovation and something that should be avoided. For digital privacy, the tech industry is trying to be proactive in developing solutions with elected officials. IBM calls this level of collaboration between the public and private sector something that is uniquely American, and distinguishes it from European counterparts that are attempting to comply with mandated GDPR rules.
International Impacts and Considerations
Along with trying to hammer out potentially 50 different digital privacy policies (if each state makes their own), American tech professionals are looking at what other countries are doing to develop or expand consumer data protections. Some policies are generally modeled after the European GDPR, but unique to their relative populations and tech needs. Canada’s Digital Privacy Act of 2018 requires all Canadian companies to take significant steps to protect customer information from theft or loss, no matter the format. There’s a notification process to be followed if a security breach occurs, and possibly large fines—not just for companies, but in some cases individual employees and managers who are found to be at fault. Along with this, the U.S., Canada, and Mexico must all now react and meet a new set of standards following the revised North American Free Trade Agreement. New policies govern how data should be stored or monitored, including requiring each participating country to share data and its protection policies with other member countries. It also outlines a requirement that citizens of any of the three countries have the ability to request more information and/or report possible privacy violations.
Data Breaches Notifications & Additional Scrutiny
While widespread data privacy policies are yet to be determined, there are already regulations in place that require U.S. businesses to notify consumers when personal information is compromised. As of March 2018, all 50 U.S. states (plus the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands.) have this in place—though there were some significant updates and late comers (i.e. Alabama and South Dakota) in 2018 following the implementation of GDPR. Much of the legislation passed last year targeted regulating data brokers, requiring companies to document security policies, updating breach notification practices, and amending definitions of what should be classified as personal information.
With all of this coming to a boiling point—we can expect continued news coverage of data breaches and lawsuits intended set precedent and direct the course of future regulation.
Reactions & Conclusions
The path ahead for digital privacy policies and consumer protections in the United States is riddled with obstacles and uncertainties. Tech pundits and lobbyists are quick to point out that any regulation must be well thought out and include flexibility so that it doesn’t hinder innovation. Lack of foresight and tech industry involvement can have dire consequences, like the Australian Encryption Bill. Poorly designed legislation can not only cause contention, but drive new business and innovation to other, more lenient and less regulated countries. They’re also concerned that with the current state of western politics, the pain and difficulties caused missteps could require years to correct and get back on track.
What are your thoughts? Are your systems and in-house data policies flexible and coordinated enough to meet potentially significant changes in legislation?