Isn’t it time we talk seriously about a nation-wide Privacy Act?

Would you be surprised if someone told you that they felt even less secure online today, compared to five years ago? 

All we hear about are big companies screwing up and losing user data

Nah. Me neither. As reports Mitchell Noordyke from iapp, “state level momentum for comprehensive privacy bills is at an all time high. 

One of the hot topics now is whether the United States, Like the EU, ought to develop and adopt a privacy framework for all its residents, across the 50 states? 

To be honest, in the current political (where many feel divided across partisan lines), even getting a national privacy framework kickstarted – one that wouldn’t  be poo-poed by the other party – seems like a long shot. However, the need is certainly intensifying, mostly due to the sheer complexity of adhering to each state’s regulatory requirements. 

The reason firms and organizations care is simple: if they want to provide services or products or collate information from users within that state, they must follow that  state’s law. 

And it is complicated because each state carved its own privacy policy. And remember that there are , at its core,  two aspects to privacy regulations. One looks after the rights of the consumer, while the other looks after the organizational requirements, such as prohibition of discrimination, Processing limitations or age limits for opting in to services. 

The people at iapp pulled together a nifty State Comprehensive Privacy Law Comparison. A quick gander at the table and, presuming that it is correct and up to date, we see a number of issues, such as: 

  • California, Hawaii, and Pennsylvania have decided that a resident must be 16 years of age to opt in, while Massachusetts has set its limit at 18. Many other states, like Louisiana, New Jersey, and Washington do not seem to have not opt-in consent age. 
  • Fiduciary duty is only required in New York
  • Most states allow consumers to have access to collated information, but not all – Illinois, Louisiana, Nevada and New Jersey fail to do so. 

So a rather unpleasant irony here is that the names of each of these privacy policies vary little. You have Washington Privacy Act, Rhode Island Consumer Privacy Protection Act and California Consumer Privacy Act. And yet, they each other a tailored version of privacy, some much better for the residents, while others empower the collector and processor more freedom to snarfle up personal identifying information. 

So what are the types of areas that a nation-wide privacy regulation are far and wide, but it should definitely consider these benefits for the user: 

  • the right to be forgotten
  • the right to access collated information
  • age restricted opt-in controls
  • the right to opt to out specific or all data collection

While national checks and balances for the organization as well would need consideration, such as: 

  • mandated risk assessments
  • data breach notification 
  • data processing limitations, such as enforcing pseudo-anonymization of all PII data. 

Permit me to be be frank here. Currently the US seems to be failing at doing an acceptable job of protecting personal data of its residents. Despite the existing national regulations collecting and handling financial data or health data, we have seen a disturbing number of successful attacks that have stolen innocent users’ personal information. 

This Increased frequency and scope of data breaches, and the outlandish success that attackers seem to be having underlines the need for a national data privacy law. 

It would simplify how businesses (who want to be responsible) would implement their data processing based on these national future regulations. It would mean that rather than spending time and money on algorithms to account for each state’s particular requirements, it could increase the security infrastructure of its overall systems. 

Plus, users would have more transparency and understanding of their rights when it comes to online data collection. 

In my book – this defines a win win. Besides, the US gets to learn about all the benefits and costs with GDPR, and perhaps even improve upon those!

Previous ArticleHow to avoid nasty flies in your bug bounty program Next ArticleWhy it is high time to consider a CISO on demand