On September 24, 2018, the US Department of Commerce's National Telecommunications and Information Administration (NTIA) issued a public consultation on new consumer privacy legislation. The aim of the consultation is to create a principal law to protect personal information in order to achieve greater consistency between the US states.
The protection of data in the US is regulated by both national and state laws. Until now there has not been a single, all-encompassing data protection law. Federal-level laws have tended to focus on specific sectors, such as financial and retail industries, while at the state level, legislation is focused on protecting the privacy of individuals. There are more than 50 data-breach laws enacted across the country. Not all states have implemented detailed data protection laws, however, and where regulation is in place, this tends to vary considerably between states. Some states have been more proactive, such as California and Massachusetts, which have strong data protection frameworks in place. However, having such fragmentation between states creates challenges around compliancy for businesses. To deliver greater harmonization and avoid more states introducing conflicting laws, the US government needs to set clear, comprehensive, and consistent rules in the form of a principal federal-level law that applies to all companies.
In a move that follows California's data protection regulation passed back in June 2018, the US NTIA has started work on new consumer privacy rules. It has opened a public consultation on its proposed framework, which closes on October 26, 2018. Similar to California's legislation – which gives consumers more control over how companies collect and manage their personal information – the new proposal outlines that organizations should be transparent about how they collect, use, share, and store users' personal information. Users should be able to exercise control over the personal information they share with organizations. It also states that the collection, use, storage, and sharing of personal data should be reasonably minimized in a way that is proportional to the scope of privacy risks. Organizations should also employ security safeguards to protect the data that they collect, store, use, or share, and users should be able to reasonably access and correct personal data they have provided. In addition, the proposal highlights the need for organizations to take steps to manage the risk of disclosure or harmful uses of personal data, and states that they should be held accountable for the use of personal data that has been collected, maintained, or used by their systems. NTIA is also seeking comment on several goals outlined in the consultation that set the broad direction that the government should take to achieve US consumer privacy protections.
On September 26, 2018, the Senate Committee on Commerce, Science, and Transportation held a hearing on data privacy to discuss the consultation and the potential for federal privacy regulation. In particular, the focus was on the potential scope of the privacy law and the role of the Federal Trade Commission (FTC) in regulating data privacy practices. It is important that any rules that are implemented are also effectively enforced by a regulatory body. The FTC is already broadly empowered to enforce federal privacy and data protection regulations, and can enforce action against unfair practices to protect consumers, but this will need to be extended and incorporated into the new legislation.
An Overview of the EU's General Data Protection Regulation (GDPR),GLB005-000075 (September 2018)
Sarah McBride, Analyst, Regulation