The American Data Privacy Protection Act currently making its way to the House floor is not just another privacy bill destined for failure. On the contrary, unlike past attempts, today's political climate is ripe for action in the wake of the landmark Roe v. Wade decision earlier this summer and other factors.
The favorable winds today are partly fueled by a not-yet-settled California privacy law (CCPA and CPRA due to become effective on Jan. 1, 2023). In addition to California, states like Colorado, Utah, Virginia, and Connecticut all have comprehensive privacy legislation coming into effect within the next year and a half. Add to that the Roe v Wade decision, threatening to expose the dark side of data capture in a very impactful way. For example, women seeking abortions may be outed by private data captured through applications, social media, or other data warehouses. Yet another log on this fire is that cross-border data transfers to the EU are in flux and you have a ripe environment for federal action.
Consider also the political climate. We are two years away from the next Presidential election, and with President Biden's all-time low approval ratings, the upcoming mid-terms are very important for both sides of the political spectrum. Passing a sweeping privacy bill that would help protect women- a substantial voting population- could be good political fodder for both parties.
If Congress does not get the ADPPA passed now, there is a considerable risk of making it more challenging to do so in the future. As a result, the states mentioned will have time to implement laws, women's rights could suffer, leading to blame on both sides of the aisle, and negotiations for cross-border data flows could fall apart.
State-level pre-emption is one key issue to watch as this bill moves to the floor. Representative Anna Eshoo, D-Calif., already teed up this issue when she presented a failed Amendment in Committee to make Federal Legislation a floor, allowing states to pass more stringent laws. California believes its law is the toughest in the US today, which is open for debate. Expect some finger pointing if federal legislation passes to the chagrin of California. Not that the comprehensive privacy laws in other states aren't necessary; California has a lot of electoral votes. Navigating this tricky issue will be crucial to the passage and potentially setting up for the next election.
With the uncertainty of how this will play out, it is vital to keep a close eye on how this legislation develops. Given the potential to pre-empt state laws, companies should carefully read and understand the pending legislation to anticipate what could become the law of the land. Companies should also have flexible privacy programs that are adaptable to changes such as these. As a result, data protection consulting is becoming more common.
A data privacy consultant can help examine the legal privacy landscape and evaluate how it might impact your organization. It is crucial to understand risk using a highly versatile risk model based on best practices rather than one particular law, i.e., CCPA. This is where a data security consultant, data breach consultant, or privacy compliance company may be helpful.
At Truvantis, our data privacy services help clients implement flexible privacy programs using a risk-based method to help ensure future legislation doesn't throw your company into crisis mode.
There are many upcoming legal changes in U.S. privacy laws. As they evolve, these laws converge with regulations and guidance of standard security practices. As a result, you can use security frameworks like the NIST CSF to make privacy programs more resilient to frequent changes in the law.
Using a three-pronged approach of risk assessments, policy and control frameworks, and security testing, you can derive reasonable and actionable steps to maintaining single security, privacy and compliance program that works across international, state and industry-specific jurisdictions.