The Disarray of U.S. Data Privacy and Protection Laws: History Repeats

It has been nearly 30 years since the European Commission issued the original data privacy directive, EC/95/46, which provided a floor for the (then) 28 European Union jurisdictions to develop a set of privacy regulations and guidelines. Fast forward to 2024, when the General Data Protection Regulation has become a catalyst for global data protection laws, and roughly a dozen U.S. states have established varying forms of data privacy, consumer privacy or other specific types of privacy regulations. While the objective of protecting personal data is to be lauded as states aim to independently protect the personal data of their citizens, the variation of regulations from state to state has the potential to create a degree of dissimilarity that could spur widespread calls for uniform regulation. Challenges are inevitable. Confusion is probable. Feelings of chaos are possible.

Because history tends to repeat itself, a look back at how data privacy laws evolved in Europe and across EU member countries over nearly three decades provides useful guidance for what can be expected in the U.S. in the coming years.  

In the decade and a half following the issuance of EC/95/46, member countries in the EU developed unique frameworks for data privacy regulation specific to its jurisdiction. By 2010, there were 28 similar yet independent sets of requirements that companies operating in Europe were obligated to follow with little harmonization. Similarities existed, but their applicability was variable.

Global corporations were then saddled with the obligation to build data protection compliance programs and implement those on a country-by-country basis to as great an extent as possible. Over time, the cost of compliance became so burdensome that companies started appealing to the EU to build or construct a uniform and harmonized requirement that could be applied across the EU, simplifying obligations and driving down the cost of compliance to acceptable levels.

In response to this outcry, the European Commission began developing what we now know as the GDPR. Because the EU was at that time comprised of 28 countries (rather than 28 different states overseen by a federal organization), the time it took to develop the GDPR and accept comments and input from all the member states was lengthy and onerous. This process was finally completed in 2016. However, due to the breadth of the new regulations and existing differentials across the continent, the European Commission provided an additional two years (until May 2018) for the regulation to take effect. Finally at this point in 2018, firms operating in the EU had a single set of requirements for general data protection including privacy and certain governance functions. More than two decades of data protection chaos began to wind down.

As GDPR was being activated in the EU, in 2018, the California State Assembly was concurrently developing its own initial set of privacy obligations that ultimately became the California Consumer Privacy Act.  The CCPA, was activated in 2020. In the years subsequent, additional states have written and implemented their versions of state privacy laws with various similarities, differences and areas of complete differentiation from other state privacy regulations. California has also further amended the CCPA to include the California Privacy Rights Act (CPRA).

Thus begins a new wave of data-regulatory confusion in the United States. Illinois now has the Biometric Information Protection Act in place to protect the biological characteristics of persons in the state, on systems that are using biometric information. So, while the state has no specific privacy law, it does have a set of restrictions on one specific subset of personal data. Additionally, the New York Department of Financial Services (NYDFS) section 500.3 has requirements for data obligations, including policies for customer data privacy policies.  Virginia, Colorado, Connecticut, Utah … the list of US states with privacy obligations continues to proliferate.

In addition to other privacy or personal data protection laws in many US states, laws relating to breach notification and data security are moving through the legislative process in each state or are already established. One of the commonalities in these regulations is a negative use case: many provide exemptions for financial services and health care in deference to industry-specific federal laws. Another instance of uneven application of privacy regulation depending on region and/or industry.

In short, data protection obligations are growing for most organizations and compliance is becoming more costly for businesses engaged in interstate or global commerce. 
As companies play whack-a-mole with state and industry privacy laws, they also need to consider that state laws generally provide exemptions for the health care and financial services industry because of the preemption of those industries by federal laws. For example, financial services is heavily and broadly regulated at the federal level, and the Graham-Leach-Bliley Act governs data privacy obligations in the industry.  In health care, HIPAA privacy requirements apply. For firms that are specifically in these industries, the privacy and data protection obligations are relatively clear. For those firms that are service providers to financial services or health care firms as “covered entities” or “business associates”, the obligations are a bit murkier. Clearing requirements as a third-party provider can provide directionally accurate information.

How to manage the growing uncertainty? There are several initial steps organizations can take to stay one step ahead. These include:

• Pick a framework or regulation to hold to as the gold standard. It should be the most rigorous law that applies to the organization (e.g., GDPR or CCPA) or that of a trusted global standards body such as the NIST Privacy framework.
• Identify the controls and processes that the organization has in place or needs to enhance to align with the selected gold standard.
• Build and implement. Risk assess missing or weak processes or controls and prioritize. Set an end date.
• Don’t forget metrics and measurements. If it isn’t being measured, it isn’t being managed. Being able to report how many, how much, and how long for any data protection obligations gives regulators something to work with and a reason to move on.

The Digital Insights and Risk Management experts at FTI Technology have extensive experience in supporting organizations through global data privacy assessments, program development, regulatory response, privacy technology implementations, and other adjacent governance activities. For support with navigating the global and U.S. state patchwork of laws, contact the Information Governance, Privacy & Security team.  
 

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.