Have you heard the question, “Is America a melting pot or a salad bowl?” Let’s apply that concept to data privacy laws. Today, in the U.S. there is no consistent,national data privacy law.Insteadbusinesses are trying to make sense of a‘mixed salad’ of different regulations andlaws enforced byindividual statesand industry-based regulatory bodies.
The Need for Nationwide Data Privacy Laws
As technology continues to evolve and effect so many facets of our lives, the digital environment really demands an overarchingframework for ensuring and enforcing data privacy.
EliminateConfusion & Inefficiency
Business today do not operate within borders. Vendors, suppliers, customers, and business associates all work to stretch operations across state and international borders.Often, they also operate or rely on business in multiple industries.Having to navigate various federal, state, and industry-related regulations creates confusion andinefficiencies for entities, assessors, and regulatorybodies.
Avoid anExcessive Compliance Burden
Similarly, with multiple standards in force,the reporting and compliance processrequires more time, effort, and money from entities.
Because GDPR came first(in effect sinceMay 2018), many Americanand multinationalcompanies have already made the effort toreach GDPR complianceand continue business with their European customers. In order toavert furthercompliance burden, U.S. data privacy legislation shouldtry to stay close to the standard already set by GDPR.
Keep Regulations from Becoming Obsolete
U.S. laws for data privacythat are currently on the bookswere written in the past and were designed to regulate a different environment.Now, we need regulations that are flexible enough to address developing technology andstill be applicable in the future.
StrengthenPrivacy Protections
Gaps and overlaps are a natural result of multiple regulations. In some instances, they are even in conflict with each other.Yet,in an era when personal data is increasingly vulnerable, protectingprivacy is more critical than ever.Regulations should be comprehensive and clear– covering all types of personal information in all forms –in order to provide the strongest level of protection possible.
U.S. Data Privacy Laws
There is nofederal data privacy law likeGDPRin the United States.There are some nationallawsthathave been put in place to regulate the use of data in certain industries.
- 1974 –TheU.S.Privacy Actwhichoutlinesrights and restrictions regarding data held by US government agencies.
- 1996 –Health Insurance Portability and Accountability Act (HIPAA)which regulates privacy and security inthe healthcare industry.
- 1999 – Gramm-Leach-Bliley Act(GLBA) which governs howconsumers’ nonpublic privacy information is collected andused in thefinancial industry.
- 2000–Children’s Online Privacy Protection Act(COPPA) took a first step at regulating personal information collected from minors. The law specifically prohibits online companies from asking for PII from children 12-and-under unless there’s verifiable parental consent.
Now we find ourselves in the year 2020. And there has been now significant progress towards aunifiedframework– across states and industries –of data privacy best practices in 20 years.TheFTChas been the only guiding forceinpenalizingtech and social media conglomeratesthathave misled users about how their data is collected and sold tothird parties.
But fines are not an effective form of regulation and they don’t help companiesto understand and implement best practices. What’s needed is aframework that guides entities indeveloping effective data privacy policies and practices – from the ground up. Notjust punishing violations – from the top down. Because the truth is, we may here about thecases involvingFacebookandZoom, but how many other instances ofineffective security are going unnoticed?
Related article:What Impact Has GDPR Made Since It Came into Force?
Compliance questions? Get answers!
Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.
BOOK A MEETING
Difference Between U.S. and EU Data Privacy Laws
We can’t make a fair comparison because there isn’t (yet) a U.S. equivalent to GDPR.Essentially, the EU respects privacy as a fundamental right of citizens. GDPRis a comprehensive personal data protection framework designed to safeguard those rights.It governs companies operating in EU member states as well as international entities interacting with EUresidents.
Some proposed regulations include theAmerican Data Dissemination Act, theConsumer Data Protection Act, and theData Care Act. At this point, however, no proposal has gained enoughsupportin Congress to becomea newlaw.
The closestnationallaw in vigor would arguably be HIPAAwhich was engineered to protect patient privacy andhealthcareinformation.Yet, we lackregulations that coverconsumer privacy and data securityin all industries.
The Un-United States of Data Privacy
In recent years, we’ve seen states introduce their own consumer data privacy regulations. TheCalifornian Consumer Privacy Act (CCPA)and theMassachusetts Data Protection Actare two strong examples.Other states have already enacted their own data protection laws that apply to all businesses. These states include:
- Arkansas
- Colorado
- Connecticut
- Florida
- Indiana
- Kansas
- Maryland
- Minnesota
- Nevada
- New Mexico
- Oregon
- Rhode Island
- Texas
- Utah
Each of these states have developed and adopted their own data protection laws that require companies that hold personal consumer information of state residents to protect that information. Thus the ‘salad bowl’conundrum. Without a melding of thegoverning forces, each state is left to actalone,and compliance becomesconfusing and inconsistent.
Why Do Multinationals Need to Care About GDPR Compliance?
Non-EU affiliates associated with a multinational business need to care about GDPR because they, most likely, have customers residing in an EU country. If the EU consumer data that multinationals collect during transactions is accessible from one central system to affiliates around the world, it is imperative that these companies understand how the data flows to ensure that cross-border data transfers comply with the GDPR requirements.
Another highly important reason to make GDPR compliance a priority is that non-compliance leaves multinationals subject to substantial administrative fines that designated data protection authorities (DPAs) are given authority to impose if they find cause. The penalties for GDPR non-compliance are four percent of the company’s worldwide gross annual revenue or €20 million. Such penalties are applicable even if the responsible entity is merely a subsidiary with only a few employees, making it essential that multinationals make sure that any subsidiaries are on board, as well.
Additionally, DPAs hold the power to bar or ban data transfers from the EU to the U.S. parent corporation if they discover a non-compliance issue.
Are You Confused About Data Privacy Compliance?
Talk with I.S. Partners, LLC. We can help your organization determinewhich regulations apply to your activities and build a strategy for achieving full compliance.
Get a Quote Try our Compliance Checker
About The Author
Bernard has over 25 years of experience working in the Healthcare, Insurance, Banking and Telecommunications industries. Bernard has expertise in MAR, HIPAA and Sarbanes Oxley Compliance, IT Security and Privacy Management, Enterprise Risk Management (ERM), Health Care Insurance, Banking and Financial Services and Department of Insurance.
