skip to main content

Ovum view


In early November 2018, US Senator Ron Wyden (D-Oregon) introduced draft legislation of a sweeping federal data privacy law that would empower consumers to opt out of data collection, impose steep fines for noncompliance, and enforce criminal penalties for senior corporate executives that willingly sign off on falsified data protection and privacy reporting. The proposed Consumer Data Protection Act would in theory remedy the current lack of federal data privacy framework and help obviate the need for additional state-level legislation. However, given current political dynamics, the bill is unlikely to pass. What it does do though is force a meaningful federal discussion of data privacy and consumer rights, paving the way for future legislation.

Unlikely to pass, the bill still forces the discussion of privacy

To date, the US has been stubborn in its unwillingness to address data privacy and protection issues at the federal level. While the EU successfully pressured nations around the globe to adopt standards modeled after the General Data Protection Regulation (GDPR) in order to facilitate trade and data transfer, the US was largely able to use its economic heft to resist such changes in national policy. However, the issue of data privacy and data protection did not go unnoticed by legislators. With rising consumer awareness and lack of federal action, individual states began to take matters into their own hands, forging policy such as the California Consumer Privacy Act (CCPA), which conferred protections for residents. As states move forward with their own standards, the trend threatens to create a convoluted legal landscape of patchwork regulation which is difficult for both businesses and consumers to navigate.

Federal standards for data privacy and data protection would help streamline corporate compliance efforts and preempt the need for additional state-level policy. Senator Wyden, who has a consistent legislative record for privacy policy advocacy, introduced the Consumer Data Protection Act in early November to create such a framework. The bill is notable in its strict reporting requirements, opt-out rights for consumers, expansion of Federal Trade Commission (FTC) enforcement capabilities and staffing, steep fines of up to 4% annual revenue, and (unlike GDPR) criminal penalties of up to 10–20 years in prison for senior executives. In addition, it mandates that organizations assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security. In many ways, it creates standards that are stricter than GDPR, and which are more difficult to comply with given the increasing opacity of machine learning and AI algorithms.

However, given the current political dynamics in the US, the bill is relatively unlikely to pass. Data privacy and data protection were not flashpoint candidate or voter issues in the November 2018 midterm elections, and Congress remains largely split along party lines with regard to regulatory matters. But more importantly, the large organizations that use data monetization as their business model – the organizations at which the proposed legislation is squarely aimed – continue to have enormous lobbying clout, with a heavy hand in shaping the government's technology policies.

What the proposed legislation does, however, is raise the profile of data protection and data privacy at the federal level in the US and force the discussion of the matter in Congress regardless of the ultimate outcome. By design, the Consumer Data Protection Act was drafted to set the bar extremely high so that the lobbying forces and compromises inherent in the legislative process will eventually result in future policy that is sufficiently protective and meaningful for consumers. With the future of the EU-US Privacy Shield framework currently in question, a US federal policy for data protection and privacy could potentially facilitate trade and data transfer with the EU via an “adequacy decision” if protections are sufficiently similar to GDPR. However, to get there, the US needs to address these issues in Congress rather than at the state level. What the proposed legislation does is pave the way for that discussion to occur, forging the possibility for federal-level policy that is more moderate – yet still meaningful and protective – so that businesses may eventually have a single, streamlined standard to adhere to, which will facilitate compliance.


Further reading

Aligning GDPR Compliance with Existing Business Objectives, INT002-000164 (August 2018)

"California Consumer Privacy Act follows in GDPR's footsteps," INT002-000156 (August 2018)

“Under GDPR, artificial intelligence is a double-edged sword,” INT002-000016 (November 2017)


Paige Bartley, Senior Analyst, Data and Enterprise Intelligence

[email protected]