Virtually all organizations are governed by at least one privacy law, and yet compliance failures continue to jeopardize personal data
Patient information is protected by the HIPAA Privacy Rule. Student information by the FERPA Privacy Rule. Personal financial information is protected by the GLBA Financial Privacy Rule. Cardholder data by the PCI Data Security Standard. Many widely adopted security frameworks, such as those from NIST and ISO/IEC, also incorporate data privacy provisions. And, as if these laws weren’t sufficient, 16 individual states have enacted their own consumer privacy laws.
These laws are a testament to our concern about data privacy in the U.S. In fact, data privacy has become such an issue that in 2022, for the first time, the National Cybersecurity Alliance extended Data Privacy Day to a full-blown Data Privacy Week.
This year, Data Privacy Week is January 22-28, 2023. In support of the National Cybersecurity Alliance and StaySafeOnline.org, and in the interest of spreading the word about the importance of complying with existing data privacy laws, 24By7Security is an annual Data Privacy Champion. This year is no exception, which is why we’re kicking off January with a look at the federal data privacy legislation that is pending in Congress.
Data Privacy Laws on the Books: The Good and the Not So Good
Existing federal and state privacy laws share many commonalities, including their guiding principles, objectives, specific provisions, and penalties for non-compliance. A central problem is that, while many have been adopted by a variety of organizations, adoption has not been consistent, comprehensive, or fully compliant. And this is why data breaches continue to occur in all industries in the U.S.
The logical and most cost-effective response would seem to be to step up enforcement of our existing data privacy laws, including mandatory compliance audits. And perhaps expand compliance requirements to include mandatory compliance certification. Organizations who fail to properly implement the data privacy protections that apply to them should be actively penalized and monitored. A number of federal and state privacy laws are on the books, and they are no secret.
There are privacy rules for healthcare (HIPAA), education (FERPA), financial services (GLBA), and credit cards (PCI DSS). And there are privacy frameworks that can be applied in virtually any industry, courtesy of the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO 29100).
While the industry-specific privacy rules above are mandatory for compliance, the more universal industry-agnostic privacy frameworks are not mandatory. This may be one of several reasons the U.S. Congress proposed not one, not two, but a handful of new federal privacy laws in 2021 and 2022.
U.S. Needs a Comprehensive Federal Privacy Law
Of the five new federal privacy regulations proposed in 2021 and 2022, three were proposed by the House of Representatives (H.R.) and two by the Senate (S.). Four create new bureaucratic entities for oversight and enforcement purposes. At least one preempts certain previous laws, including state laws. And all five continue to languish in various stages of inertia.
When a new law finally does cross the finish line, passed by both houses of Congress and signed into law by the President, we can usually be certain that it succeeded by posing the fewest insurmountable objections among all others in its class. And with five new proposed laws, the class of 2021-22 is a big one!
The fact is, the U.S. does need a comprehensive federal data privacy law that applies across industries, is fairly easy to implement, is mandatory and enforceable, and is effective.
Below is a brief description of the five federal regulations currently pending. Some will be abandoned in favor of others, but perhaps one will make it to the finish line.
Data Care Act of 2021, S. 919.
Introduced in the Senate in March 2021, this Act has seen no further action to date. It imposes various requirements on online service providers to govern their handling of individual-identifying data that can be reasonably linked to a specific user. (Note: The established terminology is actually personally identifiable information, or PII.) This Act authorizes the FTC and specified state officials to take enforcement actions for breaches of requirements and compliance failures.
Information Transparency & Personal Data Control Act, H.R. 1816.
Also introduced in March 2021, the House promptly referred this Act to its Consumer Protection and Commerce subcommittee for review, where it remains. The Act calls for the FTC to establish requirements for certain organizations when they collect, transmit, store, process, use, or otherwise control sensitive personal information. Information relating to an identifiable individual (or PII) is generally considered sensitive personal information, but information that is publicly available is not. (Defining ‘publicly available’ is therefore central to implementation.) It gives the FTC and state attorneys general the authority to enforce its provisions. This Act also requires that the FTC hire 500 new employees to concentrate on data privacy and security.
Online Privacy Act of 2021 (OPA), H.R. 6027.
Introduced in November 2021 in the House, this Act has also seen no further action since that time. OPA establishes certain online privacy rights for personal information, including the contents of online communications. It also imposes certain requirements on data processors, service providers, and third parties. OPA also includes the establishment of a Digital Privacy Agency for oversight and enforcement purposes, proposed to be separate from the FTC.
Consumer Online Privacy Rights Act (COPRA), S. 3195.
Also introduced in November 2021, this Senate Act remains in ‘proposed’ status awaiting approval. COPRA places specific requirements on organizations who process or transfer a consumer's data, similar to certain provisions in OPA. It also requires those organizations to name a privacy officer and a data security officer to implement privacy and data security programs and conduct risk assessments, not unlike provisions of HIPAA. This Act requires the FTC to establish a new bureau to help enforce COPRA.
American Data Privacy and Protection Act (ADPPA), H.R. 8152.
This most recent entry into the privacy law competition was introduced in June 2022 and is considered the frontrunner among federal privacy legislation. It represents significant progress in the two-decade effort by Congress to develop a national data security and digital privacy framework that would establish new protections for all Americans.
ADPPA would create a comprehensive federal framework for consumer privacy. It would govern how consumer data would need to be treated by companies across different industries, particularly in Big Tech. The Act would create a Bureau of Privacy at the FTC to enforce its provisions, and any ADPPA violation would be treated as an unfair or deceptive act or practice in violation of section 18(a)(1)(B) of the Federal Trade Commission Act.
To do its job as its authors envisioned, ADPPA would preempt any previous or state laws made redundant by its provisions. This contingency has raised concerns in California, where state lawmakers do not want to see their comprehensive state privacy legislation preempted by federal law. ADPPA has undergone several redrafts in the House while the preemption provision is being debated. This debate is essential because the preemption provision has sweeping implications that will either complicate or streamline privacy legislation for years to come.
The Role of the FTC in Data Privacy
The Federal Trade Commission is the enforcement authority for four of the five proposed privacy laws above, in accordance with the Federal Trade Commission Act of 1914. This milestone legislation created the FTC and empowered it to investigate and prevent unfair methods of competition, and unfair or deceptive acts or practices affecting commerce. These directives translate to two primary missions: (1) protecting competition, and (2) protecting consumers.
As consumer privacy issues have exploded in the digital age, the FTC has brought enforcement actions addressing a wide range of privacy issues, including spam, social networking, behavioral advertising, pretexting, spyware, peer-to-peer file sharing, and mobile privacy concerns. More than 130 spam and spyware cases and 75 general privacy lawsuits have resulted from these FTC actions.
Investigation and Enforcement. The Federal Trade Commission is the only federal agency that deals with consumer protection and competition issues across broad sectors of the economy, with far-reaching impacts. While the FTC is authorized to investigate and enforce, bringing criminal charges is the work of the U.S. Department of Justice. However, the FTC is authorized to impose expensive civil penalties for violations and non-compliance.
Throughout 2022, the FTC continued to increase its investigation and enforcement activities to address the evolution of unfair or deceptive practices in the areas of privacy, cybersecurity, and consumer protection. It has also become more effective in clearly specifying the terms of settlements with violators, perhaps taking a page from the highly detailed HHS OCR settlements.
However, these positive changes at the FTC do not alter the fact that enacting more data privacy laws will increase the enforcement burden and make implementation even more complex for adopting organizations. These consequences support the case for preempting existing laws when they are rendered duplicative by subsequent legislation. Does it seem sensible to continue to add new laws to the data privacy stew without retiring those that have become redundant or obsolete?
Many states have already enacted limited data privacy laws. Five states, including California, have comprehensive state privacy laws taking effect in 2023. At the federal level, five different data privacy laws were proposed between 2021 and 2022 by the House and Senate. Four of the five laws create new agencies or other bureaucratic entities who would be responsible for oversight and enforcement activities.
The most comprehensive of the five federal laws—the American Data Privacy and Protection Act (ADPPA)—proposes to preempt laws rendered redundant by provisions of the Act. This has brought the ADPPA to a standstill as the House of Representatives considers next steps. Hopefully, the most sensible approach will prevail.
There is no question that the U.S. needs an effective, mandatory, comprehensive federal data privacy law. It’s anyone’s guess which of these contenders will make it to the finish line, and in what condition.
Data Privacy Week is January 22-28, 2023. Becoming a Data Privacy Champion gives you access to tools and materials that will help you promote data privacy throughout your organization, and among your third-party vendors, all year long. Join 24By7Security in becoming a Data Privacy Champion and advocating for comprehensive data privacy legislation.