Comparing data protection regulations across the US in the foresight of a GDPR-inspired federal law

When the world is realising that there are no ‘boundaries’ on the internet in the age of metaverse, and an international framework for personal data protection across borders is the need of the hour, a country lacking in a consistent law to protect its citizen’s data is already several steps behind. 

In a digital era, where not only the collection of personal informationfor a range of services has seen a tremendous rise, but also where work from home has now become the norm- the issue of Data Privacy concerns is gaining centre stage for all the right reasons. Data Privacy continues to be see increasing rise of data protection regulations, i.e. China’s PIPL, California’s CCPA 2.0, Virginia (VCDPA), GDPR.

GDPR has become a benchmark for national level privacy frameworks globally. Recently, UAE also enacted a federal level data protection law largely mirroring the GDPR.

However, United States which is a country home to the biggest tech giants and Silicon Valley, the biggest tech hub, does not have a federal law for security of personal information.  In a recent live conference, Sundar Pichai (CEO of Alphabet) put forward a point for a federal privacy law in the U.S., similar to European Union’s GDPR.  Political pressure created by states through draconian data protection legislations by individual states could actually turn this into a reality. However, the concept of a national law for data protection for U.S. has been highly debated.

This Article aims to briefly introduce the current scenario of data protection framework in U.S. and the possibility of a unified federal law for data protection in the United States of America.

Current scenario regarding Data Privacy in the US

Patchwork of regulations

When we talk about data security legislations in the United States, we are not talking about a single legislation but instead sector-specific statutes enacted on the Federal and State level. These vertically focused legislations are:

Health Insurance Portability and Accountability Act (HIPAA): This act is designed to protect individuals’ personal health information. 

Children’s Online Privacy Protection Act (COPPA): This law protects  the collection of personal information of children under 13 years of age by regulating websites or online services.

Gramm-Leach-Blilye Act (GLBA): This protects the consumers’ sensitive financial information by regulating sharing of data by financial corporations.

Family Educational Rights and Privacy Act (FERPA): This law protects student records by regulating US Department of Education funded schools. 

Fair Credit Reporting Act (FCRA):  This act protects a consumer’s credit information by regulating companies such as credit bureaus.

These regulations successfully target and protect data of specific consumer categories; however, they are not comprehensive. While the federal laws help protect data in industry-specific situations, the internet remains a deregulated territory for privacy. 

However, the Federal Trade Commission (FTC) plays a major role in prohibiting “unfair or deceptive acts or practices” by companies. 

Comparative study of US state-wise privacy regulations

In the absence of a nation-wide privacy plan, various states have taken steps to fill the vacuum by creating their own framework for protection of data security rights. 

The most comprehensive state legislations are- The Colorado Privacy Act (CPA) enacted in 2021, California Privacy Rights Act (CPRA) enacted in Californa Consumer Privacy Act (CCPA) enacted in and Virginia Consumer Data Protection Act (VCDPA). However, while all 50 states have managed to formed frameworks for data breach notification, only California (CCPA), Nevada (SB-220) and Maine(LD-964) have privacy laws working in effect at the moment. 

While the foundation of these frameworks are on a similar pattern, they do come with variations in definitions and terminology used leading to a set of 50 different standardshttp://blogs.luc.edu/compliance/?p=3142 to comply with. 

For example, while CPA and VCDPA mirror the protections provided under the EU’s GDPR and have borrowed their terms and definitions from it such as “controller” and “processor” whereas CCPA has based their definitions on a business/service provider model. Further, the definiton of what constitutes as “sensitive information” also varies among states. For example, Email contents, Financial information and Social security numbers are not considered under the definition of sensitive data by VCDPA and CPA, but is part of CCPA. 

Private right of action refers to when an individual can enforce their rights. While CPA or VCDPA do not provide for private right of action, such a right has been made available under CCPA in the event of breach of “personal information”. While this right is limited under CCPA, The New York Privacy Act and the Massaccussets Data Privacy law have made the law even tighter by providing a private right of action for any violation of the law. The New York Act goes one step ahead from the CCPA and includes a “Right to correct”, closer to the spirit of EU GDPR.

Where in one place The New York Act has increased the weight of the law, North Dakota represents the most lightweight bill for a privacy legislation. This bill does not provide the foundational data protection rights such as right to withdraw consent and have data deleted to the individuals. Hence, all of these present standards prove to be inconsistent in implementation which puts individuals at risk of misuse of their personal information in states with lighter data privacy regulations. 

This patchwork model leads to inconsistency in regulation and has been criticised for making the compliance costlier and time consuming for businesses, especially smaller businesses who do not have adequate resources to match the standards required which leads to hefty penalties levied as in the case of Illionois’ BIPA (Biometric Information Privacy Act) which has been in headlines due to a splurge of class action lawsuits.

Data protection regulation help protect personal information of individuals from getting into unauthorised hands, further, a federal law helps avoid excessive compliance burden on businesses. Multiple legislations in different states makes it cumbersome to comply with the standards and is more costly and time consuming for the entities.

Federal Privacy Law Proposals

There are a number of bills floating in the parliament for federal privacy law. Apart from a nation-wide data protectionl aw proposal, many of these bills also dealth with specific privacy issues like AI, facial recognition and biometric data. 

The most prominent of the bills, which would serve as the point of further negotiations could be:

 

Consumer Online Privacy Rights Act (COPRA) which looks on strict restrictions on advertisement practicises on digital platforms. This bill aims to establish a requirement of consent from consumers for processing of sensitive data for behavioral targeting. democratic

SAFE (Setting an American Framework to Ensure Data Access, Transparency and Accountability Act) which embodies the spirit of various other federal legislations and helps provide consumers with rights such as rights to access, delete, correct data etc,

The question is despite bipartisan support, why is a federal law still not in works? 

Both of these proposed bills have some important points of key differences between them when it comes down to enforcement- which act as an obstacle to an agreement. Preemption of laws is a point of debate when it comes to a national privacy law. Whenever a conflict between a state law and a federal law arises in the US, the federal law is considered to be the supreme law and displaces the state law. COPRA does not provide for preemption of state/ local laws, while SAFE would. 

Another obstacle comes in form of private right to action. While COPRA provides for the right for individuals to enforce their privacy rights, SAFE provides this power only in the hands of State Attorneys General. 

Further, urgent tech policy issues might call for attention of the parliament, such as big tech antitrust, Communications Decency Act etc, which may further delay the movement on a federal law for privacy.

Conclusion

GDPR acts as an adequate foundation for federal privacy laws in US. The current legal framework of US regarding privacy laws resembles a mixed salad of federal and state laws which adds to a lot of complexity for businesses as well as individuals.A consistent policy is the need of the hour for the data security landscape in the US. 

In order to create a safer ecosystem where the consumers have protection against their information being misused it is imperative that a federal law comes into place, which is only possible when such a carveout is made during negotiations of the proposals that they could overcome current obstacles. The biggest obstacle against a national privacy law in US is the issue of enforcement, once that has been Further, such a unified federal law need to address issues pertaining to use of Artificial Intelligence (AI), Machine learning, Facial recognition and other advanced technologies as well. 

 

This article was written by Ishita Khemaria. 

Sources:

Sarah Perez, Alphabet CEO Sundar Pichai calls for federal tech regulation…, TechCrunch (Oct 19,2021), https://techcrunch.com/2021/10/18/alphabet-ceo-sundar-pichai-calls-for-federal-tech-regulation-investments-in-cybersecurity/

Lydia Bayley, The Patchwork Paradox: Data Privacy Regulation and the Complications of Compliance, Loyola Universiy Chichago School of Law (Sep 1, 2020), http://blogs.luc.edu/compliance/?p=3142

Sheila A. Millar, The State of the State Privacy Laws: A comparison,The National Law Review (Dec 1 2021) https://www.natlawreview.com/article/state-state-privacy-laws-comparison

Andy Green, Complete Guide to the Privacy Laws in the US, Varonis (Apr 2,2021) https://www.varonis.com/blog/us-privacy-laws#comparison

Kate Kaye, Cheat Sheet: What to expect in state and federal privacy regulation in 2021,Digiday (Feb 1, 2021) https://digiday.com/media/cheatsheet-what-to-expect-in-state-and-federal-privacy-regulation-in-2021/

Thorin Klowsowki, The State of Consumer Data Privacy Laws in the US (and why it matters), NY times (Sep 6, 2021)  https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/