It seems like GDPR was a wake-up call for state legislatures, as more and more states are considering or have already introduced and passed bills to address privacy protections for American consumers. Of course, none of these bills are going to be identical to GDPR, but it’s clear these laws are what consumers want. A study conducted by Janrain Research found that 68 percent of Americans want laws similar to GDPR, and they want the opportunity to control how their personal information is used and stored.
However, while consumers push for privacy laws, businesses don’t see them in the same light. Recently, Robb Reck, a cybersecurity expert and CISO of Ping Identity, reached out to me to discuss the implications of new privacy acts. One of the things pointed out in that initial email was that for consumers, the data privacy acts are great because they put a stake in the ground about what is required for organizations doing business, but for companies, they will add some burden to operating requirements.
I wanted to hear more about his thoughts on the consumer regulations, so I reached out to him for a Q&A. Here is our conversation.
SMP: Why do you think privacy laws will be "good for consumers, bad for business"? Could you provide a little more detail on the potential negative impacts for businesses?
RR: For businesses, most of the negative impact from consumer data privacy laws will be felt as businesses seek compliance and remodel their processes for handling consumer data. However, for companies whose business model is the collection, packing, and sale of consumer data (especially without the consent or knowledge of the consumer), these privacy laws may require fundamental changes to the ways they do business.
In the long run, these changes will improve the experience for users, and the companies that most quickly recognize that, and use consent and transparency to give their employees a better experience, will also gain their trust, and eventually be at a big advantage.
SMP: Can you provide an example of one state’s privacy laws?
RR: While not all of the new state-issued data privacy laws carry the same hefty fines as GDPR, recent legislation from Colorado gives the Attorney General’s office authority to enforce the new requirements. Specifically, the law says the Attorney General may bring an “action in law or equity to address violations of the law, and for other relief that may be appropriate to ensure compliance with the law or to recover direct economic damages resulting from the violation, or both.” So long as businesses are adequately prepared to address the stipulations of their state-issued legislation — which only stands to improve their overarching security and compliance postures — they should be in good standing.
SMP: Are privacy laws really a good deal for consumers or is it a smoke screen to make them think their privacy is respected?
RR: It’s a process. Considering where we started from, with consumers having no visibility into what data is collected, used and sold, these laws can only move us in a better direction. When done right, consumer privacy laws can hold businesses accountable for how they use consumers’ data and they face real consequences for non-compliance. When done poorly, those laws still give us a common language to discuss privacy requirements, and a starting point for advocates to look to improve upon.
SMP: Like the data breaches notification laws, these privacy laws are going to be different from state to state, and I suspect will create some chaos into whose data is protected or how it will be protected. How should businesses address such discrepancies?
RR: These differing state laws are a real problem and will only become more of a problem as more states seek to be more aggressive with their requirements. Businesses should lobby our federal lawmakers to pursue a U.S. law that can standardize these requirements for us.
In the meantime, businesses need to deal with the reality we live in. Those doing business in Colorado or California should expect to do notifications within the legally required 30-day window. Depending on the type of data housed by a company, it may make sense to look at treating all data as though it were regulated by the strictest data. However, that does come with additional costs, and a significantly accelerated timeline.
SMP: What's your overall opinion on state-based privacy laws and why? What's the optimum solution or approach to better consumer privacy?
RR: While it is important for businesses and state governments to address consumer data, I believe that the momentum from Colorado's law, California's law, and others will create a de facto national standard. There's already movement by both political parties to create a national law to preempt the state laws.
The biggest risk I see with states continuing to create more and more strict laws is that it may create a situation where companies simply cannot comply. If a law requires notification too quickly, and it’s technically infeasible to adhere to, that law becomes very difficult to enforce, and may backfire by making companies give up trying to comply.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba