Privacy in the US
26 September 2018
In the US, there is no single, comprehensive federal law regulating the collection and use of personal data. The inconsistent nature of the current protection for data and privacy has largely been accepted as a consequence of the balancing act between what is a Federal responsibility and what is a state responsibility.
However, against the backdrop of recent controversies involving personal data and developments in European legislation, there is an emerging trend in some US states which suggests that new, national privacy legislation may be a necessity.
At present the US has a combination of Federal and state laws, guidelines and regulations governing privacy rights. These can apply to certain sectors and types of sensitive data, such as health or financial information. This has created an assortment of overlapping and contradictory protections which may point to underlying cultural differences in the way US citizens view privacy and personal information, versus European citizens.
Europeans, in contrast to their American cousins, have long considered their privacy to be a fundamental right. But are we now witnessing a shift in attitude in the US?
In a 2017 study, The Pew Research Center looked at the spread and impact of social media in the US. The study revealed that US citizens are increasingly anxious about how their personal information is being used and how their data is being secured. According to the survey, just 9% of those canvassed believe they have “a lot of control” over the information that is collected about them. Furthermore, 61% of those surveyed said they would “like to do more to protect their privacy” and two-thirds stated that current laws are “not good enough in protecting people’s privacy”. It is worth noting that this research was conducted before the Cambridge Analytica scandal, in which the private data of up to 87 million Facebook users was accessed.
These findings are also supported by research undertaken by Schillings as part of its Private and Confidential – Cyber Security Report, in which 92% of US respondents (comprised of family principals, family offices and family businesses) stated that the manner in which personal data was being retained, used and shared was the top factor when it came to changing their view on the importance of privacy – a far greater proportion than any other region. In comparison, European respondents cited ‘media exposure’ as the top factor in changing their views on the importance of privacy.
What is clear is that privacy is becoming an increasingly important issue in the US and must now be considered against the backdrop of the increased privacy rights for Europeans embodied in the General Data Protection Regulation (‘GDPR’). In contrast to current US laws, GDPR protects all personal data, regardless of who collects it or how it is processed. In response to this regulation other countries, including Canada, Brazil, Kenya and Japan, are adapting their existing privacy legislation to make it compatible. US companies will have to comply with these rules in service of European customers, and will need to quickly understand how these rules fit with the US privacy framework.
This creates the real possibility that US companies will shortly have one set of privacy rules for European customers and another for domestic customers.
The increasing focus on global privacy and the regulatory landscape has not totally bypassed US legislators. On June 28, 2018, California passed the California Consumer Privacy Act (‘CCPA’), thus becoming the first state to introduce comprehensive restrictions on data collection and processing. The CCPA intentionally transposes a number of GDPR rights regarding transparency and the rights of individuals. Among other provisions, it defines “personal data” more broadly than the GDPR and requires companies to provide consumers with the ability to access and delete personal data. The legislation, which will become operative on 1 January 2020, will make it easier for consumers to sue companies following a data breach, although unlike GDPR it doesn't set a deadline for notifying consumers of a breach.
California has now been joined by Vermont and Colorado in passing new, more stringent and consumer-focused privacy legislation. This highlights that the issue of privacy in the US is growing in importance and is likely to continue to attract attention and legislation.
But while the issue of privacy continues to be addressed at state level, without any national guidance, the concern is that this will result in a patchwork of inconsistent, overlapping and incompatible laws across the US. Federal legislation, in contrast, would apply the same rules to all; thus providing all US citizens with guaranteed and consistent rights while also allowing for the flexibility to keep pace with new developments and advancing technology.
That being said there are not many signs of this legislation being developed at a Federal level, yet.
Receive our monthly newsletter