Rafe Hart

Thoughts on security, privacy, and building software.

The Coming US Privacy Law

03 February 2019

You may not be aware, but there is a new privacy law coming in the US, and though we don’t yet know the exact form it might take, it’s impact will be deeply felt. All around the world, new laws such as the GDPR are being enacted as governments struggle to catch up with technology. In Brazil the government has passed the LGPD, in Vietnam the government has passed similar legislation, under what is referred to as the ‘Cybersecurity Law’, and in California the state legislature has passed the CCPA. Many other governments are in the midst of a similar process, having their sights set on mandating digital rights, and enforcing data sovereignty, including the US government.

The US is distinct from many other countries in that it doesn’t have a federal privacy law. Instead it has industry-specific laws such as HIPAA for Healthcare, FERPA for Education, and GLBA for Finance. Most of these have been in place for at least 15 years or more, and in that time a lot of things have changed.

OSX circa 2001

When the most recent of these laws were passed, OSX and Windows XP were making their debut, Apple was releasing the iPod and Nokia had just created the first phone with a fully functional calendar and FM radio. With all-pervasive tracking simply not existing at the time, data privacy laws didn’t account for many of the issues that we see today. To exacerbate issues, many of these laws have been under attack. To use the Education industry as an example, FERPA has actually been weakened over time to allow non-consensual use and disclosure of data. This isn’t to say that the state governments have been content to let student privacy laws erode; since 2013, over 120 student privacy-related laws have been passed in at least 40 states. But this creates its own problem - if you are a US education institution with students from all over the country, are you observing 120+ privacy laws? I didn’t think so.

California's Consumer Protection Act

This slow Balkanization of US privacy law was catapulted into the foreground last year when California passed the Consumer Privacy Act, which creates data rights and places obligations on any company dealing with California residents. Unlike many of the previous laws, the CCPA is a sweeping privacy law with significant impact for the organisations it applies to. Critics of the legislation say that it has been rushed, and there is no doubt that it was proposed, drafted and passed into law very quickly. It begins applying as of Jan 1st 2020, and to head it off there has been increased discussion of launching a new federal privacy law much like the GDPR.

Tim Cook tweeting about Privacy

Anecdotally, there seems to be bipartisan support to get something through this year, but what is it going to look like? This is a debate that is already ongoing, with Intel proposing a draft law and Apple’s CEO Tim Cook repeatedly calling for legislation to be implemented. Microsoft, Google and Facebook have also voiced their support for such a law.

There is no doubt that any new law is going to be compared directly with the GDPR. Further to that, in order to replace the CCPA, it will need to at least be equally strong. With that in mind, it is likely to include:

  • Requirements around transparency and consent
  • Right to access information, and have it erased under certain circumstances
  • Data sovereignty requirements, preventing data being moved across borders without consent
  • Specific protections for children
  • Cyber-security and record-keeping requirements
  • The ability to take legal action against organisations who do not appropriately protect your data

Often when new laws come in, industry takes a ‘wait and see’ approach, to get a better sense of how effectively a law is going to be enforced. Privacy differs in that it is a topical concern felt by people around the world, and we are already seeing a series of fines as high as USD 57 million for the GDPR. The shape of things to come in this area is already well understood, it’s just the timeline of enforcement that is under debate, along with the timeline of compliance for companies, and those who get caught between the two.