The Current State of Privacy
In the United States, personal data privacy laws are extremely fragmented. The existing legislation can largely be broken up into two main categories:
- Industry-Specific Standards: Certain specific types of data are protected under industry-specific regulations in the US. For example, the Health Insurance Portability and Accessibility Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS) mandate how patient and cardholder data should be used and secured.
- State-Level Legislation: Several US states have passed or are currently considering state-specific data privacy laws. These state-level laws typically cover only residents of that state, and data subject rights and business requirements can vary significantly from one state to the next.
This fragmented regulatory landscape means that not all Americans can expect equal levels of data privacy. The California Consumer Privacy Act (CCPA) and the recently passed California Privacy Rights Act (CPRA) provide strong privacy protections for California residents.
However, in many cases, these protections and rights are only extended to those explicitly covered under the law. Many websites ask whether someone is a California resident as part of the process for exercising the rights outlined in the CCPA and CPRA. This demonstrates that, currently, major gaps exist in US privacy protections.
The Future of Privacy in 2021
The data privacy landscape is recently evolving. In the past few years, several new data privacy laws have been passed and put into place in a number of countries, states, and regions. However, no federal data privacy law currently exists within the United States.
This lack of a federal privacy law is expected to spur continued development of data privacy legislation in the US. In 2021, it would not be surprising to see:
- More State-Specific Privacy Laws: Without national privacy legislation, states are increasingly developing and passing their own privacy legislation. Several state-specific privacy bills are currently working through state legislatures, and more are likely to start the process in 2021.
- A National Privacy Law: Legislators have been working on a national privacy law for several years now, and many of the core components currently have bipartisan support. With the 217th Congress, the potential exists for a federal privacy bill to pass the legislature and be signed into law in 2021.
With these new privacy laws come new requirements for businesses. As data protection regulations impact a greater percentage of consumers, businesses will need to focus on their compliance efforts in 2021. This includes both ensuring the ability to comply with data subject rights requests and to protect consumer data against breach and unauthorized access or use.