When news of the Facebook/Cambridge Analytica scandal broke last year, the ensuing shock waves shouldn’t have been that it happened, but that so few Americans were even aware such data violations actually do happen.
While identity theft and data loss have always been the primary security concerns for consumers and organizations, data privacy rarely got mentioned. This, of course, has changed, and Facebook was the perfect poster child to bring data privacy to light.
Considering its young billionaire founder, the politics of today, and that its billions of users post personal things on it daily; Facebook was ripe for mainstream attention when it came to data privacy. With Facebook’s high-profile congressional testimony behind us, and politicians and business leaders racing to voice their newfound concern for sound data privacy practices, the inevitable is coming: regulation.
Regulation is often a dreaded word for many business executives. It’s even something many have crafted entire careers fighting. But here’s a more radical approach: Stop resisting.
Fight the good (regulation) fight
Business leaders should not only embrace data privacy regulations, they ought to actively push for a federal law covering all Americans. Before you dismiss this notion, consider the alternative: outright chaos that benefits no one.
In 2020, California is set to enact the most stringent data privacy law in America, known as the California Consumer Privacy Act (CCPA). The CCPA is robust — covering many of the concerns people have regarding data privacy. With provisions such as the right to know what type of data is being collected on them, and to whom their data is being sold, the CCPA has individuals cheering and businesses scrambling. But the breadth and depth of the California law shouldn’t be businesses’ main concern. The larger issue is the very real (and scary) possibility of all 50 states enacting their own versions of such a law. Now that should keep the C-suite up at night.
Driven by residents’ new-found understanding and concern of how their data is being handled, state leaders are reacting. Several states are currently moving forward or proposing new data privacy laws, with many other states sure to follow suit. Now this is at the state level, which has myriad resources and budgets to put forth such laws.
The majority of companies, to put it bluntly, simply don’t have the expertise or resources to effectively handle the data requirements involved in dealing with 50 different data privacy laws. Imagine 50 different laws with each potentially having different opt-in clauses, different rules on what is in fact personal data, and different rights regarding whether a person can request that their data be erased. The data governance, and people and processes alone are too overwhelming to even think about. It would be like a flight attendant asking passengers to select a meal from 50 different options, have him/her prepare each meal and then figure out which passenger should receive which meal. This is essentially what it would look like if each state enacts their own data privacy law.
Multiple flavors of data privacy laws would not only slow the pace of business and innovation, but also would achieve chaos and zero results. A tragic loss across the board.
Putting privacy into users’ hands
There are two proposals currently making the rounds in the legislative branch: the Data Care Act and The Information Transparency and Personal Data Control Act. The Data Care Act covers a broad range of personal data from social security numbers to user passwords and would require user permission before information on them is sold. The Information Transparency and Personal Data Control Act centers mostly on opt-in consent and how information is being shared with third-parties. The impact on privacy if just one of these acts becomes law is that it gives control to individuals over their data and the power of a single regulator to ensure data privacy for all Americans. While it would require a significant amount of work from organizations to become compliant, the goal is to comply with one law – not several. And that makes all the difference.
While still far from becoming law, the intent of these acts deserves and requires bi-partisan support. Yes, debate and concessions will no doubt occur. But make no mistake: States will act on data privacy if the federal government does not. A federal regulation is not only a win for individuals, but for businesses as well. When’s the last time you could say that?
Todd Wright is the Global Lead for GDPR Solutions at SAS.