Despite facing major legislative obstacles, the proposed American Data Privacy and Protection Act (the "Bill") has made history as being the first comprehensive privacy bill to be made available for a full chamber vote in either the House or the Senate. This historic feat means the United States is one step closer to establishing a federal standard for consumer data privacy. With Congress making progress toward passing a federal data privacy bill and new state-level data privacy regulations being enacted routinely, all organizations that process U.S. consumer data must review and update their policies and procedures for compliance with new and upcoming privacy requirements.
The Bill Reaches Congressional Floor for Vote
Upon pressure from the American people who are fed up with the lack of online privacy in the U.S., legislators have reached a landmark compromise to push the Bill forward. The Bill will now come on the U.S. House floor after the House Committee on Energy and Commerce markup resulted in a vote to advance the bill to full House consideration.1 The markup compromise includes language to change the private right of action's effective date from four years to two years post-adoption, expanding categories of sensitive information, enforcement authority under the Federal Trade Commission, "actual knowledge" standards concerning minors' data, and technical changes to the definitions for "covered entity" and "service provider."2 The vote to advance the Bill marks the first time that a piece of comprehensive data privacy legislation will receive a full chamber vote in Congress.
Lingering Issues Concerning Preemption of State Privacy Laws
Although many amendments were accepted during the Committee markup, an attempt to exempt the California Consumer Privacy Act and the California Privacy Rights Act from the Bill's preemption provisions was not taken up following a roll call vote. The argument for an exemption from preemption was framed less as an exemption and more as the establishment of a "federal floor" for all states to build from and not a specific carveout for California. The amendment would have allowed all states— not just California— to provide additional rights to those established under federal law.3 However, the amendment received bipartisan backlash as most committee members viewed it as the unraveling of the fragile Congressional compromise reached after years of discussions. Since California has established itself as a leader in U.S. data privacy regulation, the Bill risks losing supporters if the exclusion of California laws from preemption is not added by the time the House floor vote arrives. If these lingering issues are not resolved and the Bill is struck down during the full chamber vote, it could be a long time before Congress gets another chance to enact a federal privacy standard.
How to Become Compliant with New Data Privacy Regulations in the U.S.
When it comes to data privacy, it is better for organizations to be progressive in establishing and adopting the policies and procedures needed for compliance rather than scrambling to meet compliance requirements after the regulations come into effect. Organizations that are late to become compliant with data privacy laws in the U.S. face substantial liability risks relating to data breaches, consumer privacy lawsuits and regulatory penalties. To adequately prepare for the establishment of a federal privacy standard in the U.S. and to become compliant with applicable state-level data privacy regulations, every organization that processes U.S. consumer data must:
- Establish relationships with data privacy advisors.
o It's important that your organization align itself with trusted data privacy advisors, such as data privacy attorneys and information technology specialists. Data privacy attorneys can relay information regarding newly enacted or amended privacy laws in the U.S., determine the applicability of privacy regulations, draft policies needed for compliance, and provide advice for pre-breach and post-breach actions. Information technology specialists can assist in implementing the systems needed for compliance with privacy regulations and protecting consumer data.
- Discover and map personal data held by your organization.
o Discovering and documenting your organization's data processing activities will increase your understanding of what data your organization holds, who it belongs to, and what regulations it may be subject to. Data mapping is a foundational element of every privacy program and will allow you to track the purpose for processing and flag potential risks.
- Conduct privacy impact assessments.
o Assessing data processing activities to flag and mitigate privacy risks is crucial in understanding how covered entities can better protect personal information and is also an essential requirement under many state privacy regulations, including the California Privacy Rights Act, the Connecticut Data Protection Act, and the Colorado Privacy Act.
- Establish policies and procedures to respond to privacy rights requests.
o Many consumers complain of violations of data subjects' rights. Your organization needs to establish policies and procedures for responding to data subject requests to avoid any such violations.
- Enable adequate privacy governance.
o Businesses should develop and implement effective privacy governance programs to manage personal data in compliance with multiple state laws and varying requirements. Integrating privacy governance workflows into compliance efforts for U.S. state laws can assist with data mapping and applying applicable regulations.
The Bill is our best hope at protecting Americans' privacy and data security while providing certainty to American businesses. Nonetheless, organizations should not wait on the enactment of a federal standard to begin prioritizing data privacy and cybersecurity. The foregoing steps for compliance with data privacy regulations should be reviewed by your organization's decision makers immediately to protect sensitive consumer data and prepare for the future of data privacy legislation in the U.S.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.