Federal consumer data privacy, is your business ready?

Federal legislation to protect consumers data and privacy is gaining momentum in Congress and there is draft legislation being developed that is likely to become federal law in the next 12 to 24 months. VLCM has been tracking the progress of proposed federal data privacy legislation and here is what we know so far…

The Consumer Data Protection Act sponsored by Senator Ron Wyden (D-OR), allows consumers to control the sale and sharing of their data, gives the Federal Trade Commission (FTC) the authority to be an effective cop on the beat, and will spur a new market for privacy-protecting services. The bill empowers the FTC to:

1. Establish minimum privacy and cybersecurity standards.
2. Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10 to 20 year criminal penalties for senior executives.
3. Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don’t want their information monetized.
4. Gives consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it.
5. Hire 175 more staff to police the largely unregulated market for private data.
6. Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.

Senator Wyden has circulated a working copy of the bill and will likely formally introduce it to Congress in early 2019.

On December 12, 2018, Senator Brian Schatz (D-HI) along with 14 other Senate Democratic co-sponsors, introduced a privacy bill called The Data Care Act of 2018. The bill is designed to protect user’s information online and penalize companies that do not properly safeguard their data. Personal data as defined in the bill includes:

1. Social Security number
2. Driver’s license number
3. Passport or military identification number
4. Financial account number, credit or debit card number with the access code or password necessary to permit access to the financial account
5. Unique biometric data, including a fingerprint, voice print, retina image or other unique physical representation
6. Account information such as user name and password or email address and password
7. First and last name of an individual or first initial and last name, in combination with data of birth.

The bill would also protect personal information from being sold or disclosed unless the user agrees and would also give enforcement to the FTC.

On January 16, 2019, U.S. Senator Marco Rubio (R-FL) introduced the American Data Dissemination (ADD) Act, legislation that would provide a national consumer data privacy law that protects both consumers and the innovative capabilities of the internet economy.

Specifically, the ADD Act would do the following:

1. Not later than 180 days after enactment of the ADD Act, the FTC is required to submit detailed recommendations for privacy requirements that Congress can impose on covered providers. These requirements would be substantially similar to the requirements applicable to agencies under the Privacy Act of 1974.
2. Not earlier than one year after the date on which the Commission has submitted detailed recommendations (18 months after enactment), the FTC will publish and submit to the appropriate committees of Congress proposed regulations to impose privacy requirements on covered providers that are substantially similar to the requirements applicable to agencies under the Privacy Act of 1974.
3. To ensure Congress acts in a timely manner, if the Congress fails to enact a law based on the recommendations provided by the date that is two years after enactment of this bill, the FTC would promulgate a final rule, not later than 27 months after the date of enactment to impose privacy requirements based on the narrow, congressionally mandated course of action created through this bill.

While both Democratic and Republican members of Congress have been active in drafting privacy legislation, states have already started enacting strong privacy laws. One of strongest state privacy laws is the California Consumer Privacy Act of 2018 that is scheduled to go into effect January 1, 2020. On May 29, 2018, Colorado passed the Colorado Protections for Consumer Data Privacy Act that went in effect on September 1, 2018. On April 11, 2018 Arizona passed the Personal information; data security breaches law.

The technology industry is not happy with state privacy laws because individual state privacy laws create a multitude of expensive regulatory and compliance requirements. The technology industry is lobbying Congress to author federal privacy legislation that doesn’t impose onerous or costly privacy requirements. The industry also wants to make sure that any federal law will supersede and take precedence over state privacy laws.

Tim Cook, Apple’s CEO recently said, “The Federal Trade Commission should establish a data-broker clearinghouse, requiring all data brokers to register, enabling consumers to track the transactions that have bundled and sold their data from place to place, and giving users the power to delete their data on demand, freely, easily and online, once and for all.”

What should your business be doing?
It is not a matter of if but when there will be a federal law that requires businesses of all sizes to ensure the security of their customers data and privacy. It’s likely that any federal data privacy law will impose some type of penalty for non-compliance or a data / privacy breach.

VLCM recommends our clients get ahead of future privacy laws by taking a proactive approach by performing an in-depth cybersecurity assessment of your data security posture to identity any potential gaps or vulnerabilities. Then prioritize any identified gaps or vulnerabilities and take the necessary steps to remediate them. Doing so will greatly increase your data security posture, greatly reduce your risk of a data breach and will help ensure that you are compliant with future federal data privacy laws.

VLCM is here to answer any questions you have about protecting your customers data and privacy. We also have in-depth experience performing cybersecurity assessments that can greatly increase your company’s overall data security posture.