Image
It’s Time for a Federal Data Privacy Law in the U.S.

It’s Time for a Federal Data Privacy Law in the U.S.

New state-level data privacy laws just keep coming. By the end of 2023, California will transition to the CPRA, and residents of Virginia, Colorado, Utah, and Connecticut will be covered by more expansive state privacy laws. With 10% of U.S. states covered by data privacy legislation by the end of next year, it’s clear there’s a need for federal legislation as well.

I’m pleased to see reports of positive momentum on this topic in Washington. The proposed—and bipartisan—American Data Privacy and Protection Act (ADPPA) is subject to revision as a result of future committee hearings and legislative action, but it provides a valuable roadmap on what a future federal law might look like. 

And it’s no surprise lawmakers are making this push. Personal privacy is increasingly viewed as a global human right. In fact, it’s expected that 65% of the world’s population will have its personal data covered by data privacy laws by the end of next year. Over time, the way that vendors manage consumer and employee data will determine how much consumers trust them and want to do business with them, which will impact their bottom lines. 

Federal legislation will help the U.S. align with the rest of the nations leading the charge on data privacy, and hopefully it will help build momentum so even more nations follow suit. Moreover, it will give vendors and users clarity on how to use, store, and manage private data going forward, which will help avoid potential confusion caused by a patchwork of disparate state laws.   

Perspective From Truyo on Potential Federal Legislation

For additional thoughts on a potential federal data privacy law, I recommend you read this post by Truyo President Dan Clarke on the proposed legislation. Truyo and Egnyte partner to help enterprises handle consumer privacy issues, including automated DSAR responses that identify sensitive data in customers’ structured and unstructured data repositories.

In his post, Clarke, a subject matter expert who has helped develop data privacy legislation in states across the country, walks through several of the key provisions in the ADPPA, including:

  • Which businesses and data the law would apply to
  • Rules on handling and processing data
  • User consent and consumer rights
  • Cybersecurity standards
  • Enforcement and future rulemaking

Clarke says consistent nationwide legislation is greatly needed. And while he’s skeptical of the likelihood of something getting passed, he sees the ADPPA as the best sign yet that something might get done.

The post also features commentary from Michael Hellbusch, partner at Rutan & Tucker, on what the ADPPA potentially means for U.S. businesses. He notes that the ADPPA, while far from a final product, does attempt to address major concerns among data privacy experts, including children’s privacy, algorithmic processing, and regulating data brokers.

Why Your Company Needs to Respect Data Privacy 

Despite the uncertainty around federal legislation, you should still expect more specific requirements in the years ahead, even if it’s at the state level. As you take stock of how this will impact your business, it’s clear that there’s a need to implement and maintain reasonable administrative, technical, and physical security practices and procedures to protect covered data. 

So whether through a new federal law or a series of state laws, respecting consumers’ and employees’ data privacy and complying with regulations have never been more critical.

Here’s why:

  • Consumers and employees are more informed. With the explosion of new data privacy regulations, employees, consumers, and even business partners are more aware of their rights under various regulations. This dramatically increases the risk of fines and litigation due to non-compliance. 
  • Convergence of PII and Protected Health Information (PHI). Companies routinely collect PII and PHI. When those two data types are combined together, it can represent a data breach just waiting to happen. Examples include information on worker’s insurance claims and COVID-19 vaccination statuses that can be used to steal identities or result in data exfiltration. 
  • Adoption of hybrid work models. To achieve desired productivity in a hybrid work environment, organizations may need to ask employees intrusive questions about their behavior and details of work-from-home arrangements, and those questions can create their own privacy impacts.

Share this Blog

Don’t miss an update

Subscribe today to our newsletter to get all the updates right in your inbox.

By submitting this form, you are acknowledging that you have read and understand Egnyte’s Privacy Policy.