By Crystal Woody, Senior Director of Strategic Communications at Privitar

Last week, I had the opportunity to catch up with Polly Sanderson, Policy Counsel at Future of Privacy Forum, where she focuses on legislative outreach and analysis, and privacy legislation at the federal and state level. FPF is a prominent D.C. based think-tank with expertise on emerging consumer privacy issues.

During our conversation, we discussed current the state of the data privacy landscape in the United States.  We also talked about some tips and insights she wanted to share with businesses trying to navigate this changing regulatory landscape. The transcript of our interview follows.

Polly will share additional insights on the US Data Privacy Landscape on May 14th (5:00pm BST / 12:00pm EDT) during In:Confidence Digital. For more information about her session, or to register for free, visit: https://inconfidence.privitar.com/watch/.

CW: What is driving the momentum for new privacy legislation in the United States?
PS: Momentum for US privacy legislation comes from a number of places – grassroots, the States, and external pressure for other jurisdictions implementing their own laws. After a series of high-profile scandals and data breaches involving personal data, this has become a mainstream issue. Equifax, Cambridge Analytica, and more recently Clearview AI have put the spotlight on whether individuals can trust companies with their data. In part, the California Consumer Privacy Act (CCPA) is a manifestation of the desire of individuals to increase legal protection. Since the enactment of the CCPA, many other states have introduced similar bills to give their own constituents similar or stronger protections. To increase consumer trust and adoption of digital products and services, and to prevent the emergence of inconsistent state laws, industry is supportive of implementing a uniform set of federal rules. Moreover, many companies have also already implemented internal compliance programs to comply with the EU’s General Data Protection Regulation (GDPR).

CW: What are the major points of consensus and ongoing discussion in the US privacy debate?
PS: In principle, there is widespread agreement on the need for privacy legislation in the United States. Since the end of 2018, many proposals have been introduced to Congress from both Republicans and Democrats. At this stage of the privacy debate, the general legislative framework is fairly well-settled. It consists of a set of rights for individuals, obligations for covered entities, the Federal Trade Commission (FTC) as the primary regulator, and additional enforcement by State Attorneys General. The details vary between proposals, but although many of the issues are complex there is much room for compromise. At the crux of the debate are substantive processing limitations and issues involving automated decision-making, algorithmic bias and discrimination. These are hugely important aspects of the debate, with major privacy implications for individuals and groups, as well as commercial practices. Until these issues are worked out, some of the more political issues – preemption and private right of action – are unlikely to be resolved. I am optimistic that a nuanced and balanced solution is possible.

CW: What are the biggest points of distinction between US data privacy legislation and international approaches to privacy protection? Is any country “getting it right?”
PS: What may be the “right” approach for one country can rarely be copied and pasted to another jurisdiction. Data privacy laws must be considered in the context of the cultural and constitutional backgrounds, values, and regulatory appetites from which they originate. One of the largest differences between US data privacy legislation and the European approach is that, under the GDPR, covered entities must have a “legal basis” to collect covered data. This requirement is anchored at the constitutional level in the EU. Meanwhile, the US’s constitutional protection of the freedom of speech has been interpreted by US courts to protect the free flow of information. It is therefore not surprising that most legislative proposals in the US do not include a requirement for covered entities to have a legal basis for the collection of personal information. Traditionally, the U.S. has regulated the processing of personal data in areas where there is a risk of harm. This has created fertile ground for data-driven innovation. However, the proliferation of data-driven innovation in modern society now calls for a general regulatory framework to promote consumer trust of techy products and services. Of course, an overly prescriptive law could have the unintended effect of benefitting large companies at the expense of small but innovative players and start-ups which lack the resources to hire large legal teams. In general, most US proposals take a more nimble, holistic regulatory approach than the GDPR.

CW: How do you expect COVID-19 to impact the US data privacy landscape?
PS: COVID-19 has underscored the need for a federal data privacy law in the United States. If there had been a law in place before the pandemic, then there would be less confusion among policymakers and companies about how to share and use data to combat the emergency and what safeguards to put in place. The US has been slower to act than the EU – there has been much guidance and clarity from EU DPA’s. However, the pandemic has also put the consumer privacy debate on hold temporarily. Before the outbreak, over a dozen states were considering their own privacy laws. Now, the focus of legislators has moved toward formulating urgent economic and social responses to the pandemic. But without adequate data protection, citizens are less likely to trust technological solutions, and there is a greater risk that measures put in place now to fight COVID-19 could have implications for surveillance now and in the future. It is important for legislators and companies to be cautious, and to learn lessons from how 9/11 impacted the balance between surveillance and human rights.

CW: What piece of advice would you offer to businesses that are trying to navigate a rapidly evolving data privacy landscape?
PS: If I could give one piece of advice to businesses that are trying to navigate the rapidly evolving data privacy landscape, it would be that legislators are never going to be “done” dealing with the regulatory framework of consumer data and the issue of privacy. We are living in a new era. To remain competitive, to maintain the trust of consumers, and to continue to win contracts with other businesses, you need to “lean in” by demonstrating that your privacy and security practices are state-of-the-art. Where possible, businesses should employ Chief Privacy Officers to oversee the implementation of comprehensive privacy programs internally, even if it is not legally required. I cannot stress enough how important it is for there to be open lines of communication between your privacy team, IT team, and upper-level management. This is a board room level issue, this is a reputational issue, and this is an issue that is not going away. Start-ups will benefit from practicing privacy-by-design from the outset, and throughout the design, development, and deployment of their products and services. Regulators will look kindly upon organizations that are able to demonstrate a good-faith effort to practice good data practices, even in a rapidly changing landscape.