So far the US has preferred piecemeal, state-level regulation to deal with consumer privacy, rather than sweeping regulatory frameworks like the GDPR. Only California, Nevada, and Maine currently have digital privacy laws on the books, while nine other states have proposed legislation. With the exception of the California Consumer Privacy Act (CCPA), these efforts have been relatively hands-off compared with EU law. And even the CCPA exempts businesses making less than $25 million in revenue.
But chatter is increasing about the need for comprehensive, federal privacy regulation instead of this piecemeal approach. There’s also been a few pieces of federal privacy legislation proposed in Congress over the past few years, such as Washington Senator Maria Cantwell’s Consumer Online Privacy Rights Act, introduced last year. COPRA would apply many of the protections found in CCPA to any business operating in the US with revenues exceeding $25 million.
There’s also Kristin Gillibrand’s Data Protection Act, which would create a US federal data protection agency — an agency that currently does not exist in the US. In announcing the bill, Gillibrand noted that the US is one of only five countries that lack a data protection law, joining Sudan, Venezuela, Libya, and Syria. If signed into law, the agency would be able to hear complaints and determine whether a business was being unfair or deceptive with its data collection practices, essentially becoming the US’s digital referee.
Despite the momentum toward federal privacy legislation, it doesn’t appear as if any of these bills will be debated any time soon. With Congress busy dealing with the COVID-19 outbreak and finding itself mired in an ongoing impasse, it might be at least another year until we see any meaningful steps toward federal regulation.
However, this lull provides you with the perfect time to get your security measures in order so you won’t have to play catch-up once federal privacy legislation is passed.