This article is part of the series "GDPR American-Style". Check out the rest:
The General Data Protection Regulation (GDPR) has, for good reason, received enormous coverage in the business and tech press in 2018. But wait, there’s another seismic privacy shift occurring, and it’s happening here in the US. There is now a very good chance that significant data privacy legislation will come to the US soon. I’ll go out on a limb, and say in 2019. But if not next year, then certainly in 2020.
Yes, we’ll likely see GDPR-lite privacy requirements becoming yet another compliance consideration for US companies in the very near future.
No, hell has not frozen over. In fact, over the years there have been various US data security and privacy laws kicking around Congress. With GDPR becoming a reality, and some well publicized privacy lapses making headlines, Silicon Valley companies decided to back federal privacy legislation, rather than having to deal with separate state initiatives.
In September, AT&T, Google, Amazon, Twitter and Apple, testified in Senate hearings in favor of a federal privacy law, with each offering their own frameworks. They were essentially calling for a simplified version of GDPR. In short, they agreed to stricter consumer controls over their personal data, including a right to deletion/correction, and explicit opt-in for collection and sharing of consumer data.
Let’s Hit the Law Books
Congress has also gotten busy and started introducing their own newly cooked-up batch of privacy legislation with Senators Blumenthal and Wyden taking the lead. There are other Senators weighing in as well.
So what’s in these proposed laws? Well, Blumenthal’s has not been published, but Wyden’s has a fully-formed privacy bill available on the Senate website.
These are big pieces of legislation — though not nearly as complex as GDPR — so I don’t blame you for not immediately diving in and trying to decipher. However, I’ve generously volunteered to do the heavy-lifting, and have spent a few afternoons looking for the good parts, so to speak. While we won’t know what the final US privacy law will look for at least a few months, I’m betting that some of the key elements of the Wyden bill will make the cut.
In this two-part series, I’ll explain what I think a future US law will look like and come up with some short-term next step that can be addressed by your CSO and CIO, sooner rather than later.
If I had to summarize, I’d say we can expect a far broader definition of personally identifiable information (PII) than what’s in most state laws, stronger consumer rights and protections over this data (opt-in, correct, delete), obligations to analyze data and assess risks, a minimum baseline for data security, and, last but not least, significant fines and other penalties for not following the law.
What won’t be in the coming US privacy law? If I’m reading the tea leaves correctly, there won’t be breach notification rule, like the GDPR has. Not yet anyway.
That’s the big picture view. So let’s get into some of the details and in the spirit of end-of-year prognostications, I’ll add my predictions for what I think will ultimately become part of the privacy law of the land in the US.
1. Personal Information
We’re going to get a more modern version of PII. Period. Wyden’s Consumer Data Protection Act (CDPA) defines personal information as data “that is reasonably linkable to a specific consumer or consumer device.” This is about as encompassing as you get and would include quasi -identifiers — for example, birthdate, zip code, and gender — that I wrote about once upon a time.
On the other hand, the personal information definition in, say, Senator Thune’s proposed data security law is not nearly as abstract and instead lists all the usual identifiers — name, address, account, license. It does call out, though, internet-era identifiers and information – user name, passwords, and bio data.
Keep in mind that even traditional identifiers, such as license numbers, can vary by state, and I won’t even get into financial account numbers. To comply with a federal privacy law, you’ll need sophisticated pattern matching to deal just with legacy identifiers spread out across your file system.
What’s a possible solution to the identifier chaos in terms of legal language? The US does have a hybrid model for PII with the HIPAA law, and its definition of protected health information (PHI). All your health information is technically under HIPAA, but to make it easier for insurers and other covered entities, the government created a loooong list of explicit safe harbor identifiers. In short, if you protect these 18 identifiers, you’re in compliance.
Prediction: I’ll boldly predict that we won’t see a GDPR-style definition of personal definition, like what’s in the Wyden bill, but instead we’ll get a list approach, but one that will include basic online identifiers — user name, passwords, handles, PINs, etc. — as well as the legacy ones. In any case, most companies will have to up their game to track and classify data based on this longer list.
2. Risk Assessments and Compliance Reports
The Wyden legislation makes risk assessments a centerpiece of its privacy requirements. The law goes into some detail about assessments needing to be made based on a few factors, include data minimization, storage duration, and accessibility. It restricts these assessment, though, to automated decision making – that is, algorithms. But the Thune legislation, as just one other example, has more general risk assessment requirements.
Additionally, the proposed Wyden law asks larger companies (above $1 billion revenue) to produce annual data protection report to show that they have “reasonable cyber security and privacy policies” in place. Of course, risk assessments are a standard part of reasonable data security and privacy programs.
The Wyden law, by the way, also requires the CEO, the chief privacy officer (CPO), and the chief information officer (CIO) to certify the report!
Prediction: We will see explicit language about risk assessments and data security policies (minimization, access, etc.). We are over the self-policing phase of data privacy and security, and this new law will force US companies to prove that their IT departments are doing what they claim. For a sneak preview of what might be in store, check out the NYDFS Cyber Regulation, which gets into nitty-gritty detiails in terms of security program requirements, including an annual report summarizing these efforts.
We’ll continue in the next post with more of what to expect in next year’s US privacy law. And I’ll provide some ideas for how to get ahead of the curve!