Privacy Regulatory Trends: Diversity Favors Fragmentation

Blog summary [5-minute read]

• Defining privacy and personal information
• Issues around a U.S. national privacy law
• Preparing for privacy regulatory trends complexity

Over the past decade, discussion of an omnibus U.S. law has sprung to life whenever massive corporate data breaches or misbehavior by tech giants hit the headlines, only to be sidetracked by other priorities and partisan differences. But hope springs again, as Reuters reports, “U.S. data privacy laws to enter a new era in 2023.”

Following California’s CCPA, eight states – Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah, and Virginia – have embraced new GDPR-inspired privacy regulations. While in the past, US data privacy laws have been built around harm prevention, the underlying theme of GDPR that’s provoking change embodies a “rights-based” approach that allows individuals ownership over the rights of their personal information, such as who can collect it and what purposes it can be used for.

A look at the history of privacy regulation confirms that we can dream of simplification, but it’s wisest to prepare for more complexity, not less.

Privacy and Diversity

For most of human history, isolation has been a bigger concern than privacy. People longed to communicate information across distances—an effect you can see today in remote areas of the world, where rural households without the luxury of running water manage to own a family cell phone.

Privacy only emerged as a legal issue in response to technologies that could capture and transmit information: the camera, telegraph, telephone, and eventually digital technology. (In the U.S., the right to privacy was first outlined in 1890 by Boston lawyers Samuel Warren and Louis Brandeis, motivated by press gossip about Warren’s daughter’s wedding.)

Over time, the right to privacy has come to be recognized worldwide. In fact, Gartner predicts that, by 2024, 75% of people across the world will have their personal data protected by privacy regulations, compared to only 10% in 2020.

The problem is definitions of “privacy” are as diverse as humanity. Cultural, geographical, and political differences all influence privacy regulations.

The problem is definitions of “privacy” are as diverse as humanity.

For example, the age of consent to data collection varies among countries.

• In the U.S., COPPA protects the privacy of children under the age of 13 years
• GDPR sets the age of consent at 16 years old
• The Brazilian LGPD sets it at 16 with parental consent required for data processing
• Australia sets it at 15 with the proviso that the individual must have “the capacity to consent,” regardless of age. (Imagine having to determine every individual’s capacity to consent!)

Different industries also use different definitions of privacy. The new National Association of Insurance Commissioners (NAIC) privacy laws define personal information differently than HIPAA and other medical privacy laws. We can agree that an insurance photo of a bent car fender isn’t personal, whereas a medical image of a patient’s body should be protected.

We also see different economic and cultural priorities reflected across jurisdictions. For example, the California Privacy Rights Act (CPRA) favors the individual, expanding the private right of action for privacy violations, whereas some other U.S. regulations prioritize business use of consumer information, allowing only state attorneys general to prosecute violations.

Issues Around a U.S. National Privacy Law

The United States reflects the world’s diversity in microcosm. So, it’s no surprise that differing goals and priorities have hindered efforts to pass a national privacy law. While political parties have come closer on provisions such as deletion and data portability, there is still contention over whether consumers should have to opt-in or opt-out of personal data collection, if and when to allow individual right of action, and the many possible definitions of what constitutes personal information.

While businesses want a single national privacy law to simplify compliance, simplicity is far from certain even if a law is passed. The question is whether state and local privacy laws would remain in effect or be pre-empted by national legislation.

States that have stronger protection are unlikely to favor a national law that weakens protections for their citizens. If state laws are not pre-empted, privacy teams will face one more layer of complexity, having to compare state and federal requirements in each case and comply with whichever is stricter.

Preparing for Privacy Regulatory Trends Complexity

Experience suggests that privacy itself will continue to be a complex and evolving concept, and that complexity will continue to be reflected in privacy regulations. New laws will update or overlay existing laws, notification deadlines will continue to shorten, and definitions of personal information will continue to expand. And even sweeping legislation won’t override all the contractual privacy and notification obligations that must be tracked and met.

To position compliance, organizations that manage personal data should plan for complexity by becoming more efficient. Streamlining incident management, automating risk assessment, and maintaining a real-time view of changing regulations will help ensure compliance. And that efficiency will also free up resources to work with other business functions on data mapping, risk analysis, privacy training, and other proactive privacy efforts.

The bottom line is this: As long as people have opinions, standardized privacy regulation will be elusive. But even if that day comes, time and money spent creating efficiency will never be wasted.