A survival guide for data privacy in the age of federal inaction

Things change fast in the world of data privacy. Just earlier this year, the question I was being asked most frequently was, “How similar will the proposed federal privacy law (APRA) be to the EU’s GDPR?” Now that APRA is pretty much dead on arrival by Congressional watchers, the question I am hearing is, “Will we ever have a national privacy law in the US?”

The current situation and how we got here

After the GDPR privacy law was approved by the EU in 2016 and enacted in 2018, all eyes in the privacy industry turned to the United States. When momentum failed to build for a similar law at the federal level in the US, state governments started to fill that void. Today, we have 20 state privacy laws in the United States, with more expected.

While there is some overlap in these new regulations, there are still significant differences in how these are to be operationalized from state to state, creating tremendous complexity for privacy and compliance teams. In addition to this increasingly complicated patchwork of competing state regulations, there is also a long list of states that do not have privacy laws in place. This leaves a large percentage of the US population unprotected by privacy statutes of any kind.

This combination of factors – conflicting state laws, a high number of unprotected Americans, the complexity facing businesses, the evolution of emerging technologies and the successful enactment of GDPR – all increased pressure on Congress to make progress toward a national law in the United States.

In 2022, there was some movement at the federal level with a framework called ADPPA, but it quickly lost momentum and was abandoned. In Spring of this year, Congress took up the issue again when bipartisan legislation called the American Privacy Rights Act (APRA) was introduced.

The bill was co-sponsored by Senator Cathy McMorris Rodgers (R-WA) (House Committee on Energy and Commerce Chair) and Maria Cantwell (D-WA) (Senate Committee on Commerce, Science and Transportation Chair). For privacy professionals who have been advocating for a federal law for so long, a bipartisan proposal made APRA feel like real progress.

But that momentum stalled on the eve of when Congressional debate of the law was scheduled to officially begin in late June. The momentum disintegrated because of proposed changes to the legislation, leading to accusations that key protections were being gutted. Now, the legislation appears to be shelved.

That brings us back to question I’m being asked by so many interested parties:

Will we ever have a national privacy law in the US?

I think a federal law is inevitable, given the pressure that will continue to grow from two sources: citizens who want greater privacy protections in the era of ubiquitous technology, and a business community that faces more operational complexity because of the patchwork of current regulations.

But just because something is inevitable does not mean it will come any time soon. It took two years for the failed efforts behind ADPPA to lead to the hopes of APRA. How long will it be until Congress decides to look at it again?

No one has a crystal ball for predicting that, but what I can tell you for certain is that security, privacy, and compliance professionals need a survival guide until then because the privacy landscape is about to get even more complex.

In the wake of APRA stalling in Congress, managing privacy will become even more challenging for companies operating in the US because of factors such as:

• More state-level regulations being enacted for data in general as well as for health data specifically
• The impact of White House Executive Orders on Sensitive Data
• Rollout of California’s data privacy regulations, which place significant new demands on businesses selling to customers in the country’s most populous state
• Changes to state rules that are happening on nearly a daily basis for privacy issues related to AI, consumer data and content moderation
• Privacy adjacent regulations, such as cybersecurity, AI and online safety, that all compound the need for growing digital regulation and governance.

Every day, this complexity grows, moving the US further away from the vision of a GDPR-like uniform regulatory landscape for privacy. That means that the privacy, security, and compliance teams that collaborate on privacy programs cannot have one-size-fits-all privacy policies for their US operations and customers. They need a strategy that can adapt as the puzzle goes from 25 pieces to 250 pieces to 25,000 pieces – which is the path we are rapidly travelling down in the absence of a comprehensive federal law.

Each of these laws is a step forward for protecting the privacy of citizens and providing a clear set of rules for businesses to operate within. But the variation between them and the daily drip-drip-drip of changes are challenging for companies to keep up with.

What’s a privacy professional to do?

While we wait for a federal law, it is imperative that that companies have a holistic privacy strategy that is built for this level of variation and dynamic change.

First, organizations should map or inventory their data to understand what they have. By mapping and inventorying data, organizations can better visualize, contextualize and prioritize risks. And, by knowing what data you have, not only can you manage current privacy compliance risks, but you can also be better prepared to respond to new requirements. As an example, those data maps can allow you to see the data flows you have in place where you are sharing data – a key to accurately reviewing your third-party risks.

In addition to be able to prepare for existing, and new, privacy laws, it also allows organizations to be able to identify their data flows to minimize risk exposure or compromise by being able to better understand where you are distributing your data.

Secondly, companies should think through how to operationalize priority areas to embed them in your business. This might be through training of privacy champions and adopting technology to automate privacy compliance obligations such as implementing an assessments program that allows you to better understand data-related impact. Companies that are processing data that constitutes a heightened risk, such as selling data or using it in targeted advertising, may be required to do this in some states.

However, even when not required, it is good practice to do so to ensure that you are handling data in accordance with consumer expectations. Using those data maps mentioned above, and automating a process designed to automate assessments, can help companies to operationalize compliance obligations and proactively prepare for future needs.

Thirdly, companies should take steps to better understand their supply chain risk. Do you need to minimize the data that you share? Are your vendors reputable? Do they comply with privacy laws? Better understanding your digital footprint can help improve your overall privacy risk – but it has other benefits too. The less data you are sharing, the less likely it is that your data will be compromised in the event your vendor is.

With increasing cyber threats and daily breaches, this is too common a problem for organizations. Proactively managing your privacy program, and working with your privacy teams, to more holistically protect data, helps organizations to manage compliance requirements today – and to prepare for a future federal privacy law when that (hopefully!) gets passed.

These are critical steps for surviving this waiting game where the rules seem to change on an hourly basis.