There should be a national legal standard set in the US that companies have to abide by to ensure that consumer data is being used in ethical and compliant ways.
The vast majority (93%) of consumers report they are concerned about the security of their personal information online. And they’re putting their money where their mouth is by not spending their dollars with companies that aren’t prioritizing data privacy. In fact, 97% of consumers prefer to do business with companies that have a strong track record of protecting data privacy.
While many US states have started to take these truths seriously by enacting privacy laws, a patchwork of state by state regulations makes it tricky to truly protect customer data – spotlighting an urgent need for legislators to stop dragging their feet and prioritize a national law.
So what’s the hold up? Let’s take a closer look.
Why the US can’t seem to pass a federal privacy law
The American Data Privacy Protection Act (ADPPA) was the first serious US attempt to create a federal privacy law, which was launched in 2022. The main goal of the ADPPA was to regulate how organizations can utilize and house consumer data. The bill had bipartisan support as it advanced to the House floor, but lacked the key support needed to advance forward (particularly from California lawmakers), with specific criticisms leveled at the impact the bill could have on law enforcement efforts.
Which brings us to the second attempt from the US to pass a comprehensive federal privacy law: American Privacy Rights Act (APRA). The APRA shares many similarities with its doomed predecessor, including guidance surrounding strict data minimization and individual rights to personal data, plus the option to opt out of targeted advertising. The legislation had a scheduled markup with the House Energy and Commerce Committee, which would have provided lawmakers the chance to analyze and amend the bill.
However, it was canceled at the last minute – a move largely attributed to Republican concerns about the bill’s private right of action, which they reportedly felt could create negative impacts on smaller businesses. This means, as of now, the APRA is at a stand still – potentially until the US Presidential Election on November 5.
What can the US learn from the EU’s GDPR?
While the pause US legislators face is certainly frustrating – especially when the success of such regulation passing hangs in the balance of such an important election – it does provide lawmakers with a unique opportunity to examine key learnings from across the pond. The European Union’s General Data Protection Regulation (GDPR) has already been in effect for over six years and aims to guide how personal data is collected, used, transferred, stored, and processed.
There are a few key components US policymakers might consider as they try to move toward bipartisan support:
- Rome wasn’t built in a day… and neither was the GDPRWhen considering the dynamics between legislation and technology, it’s important to note one always develops faster than the other. The original authors of the GDPR were quite clever, as they made a concerted effort to consider how the language would stack up as technology continued to develop.As a result, GDPR remains very applicable to AI, despite the boom only happening in the past 18 months. For example: a fundamental piece of GDPR is a user’s right to challenge an automated decision because the information an answer is being based on could be wrong. And if companies aren’t able to properly explain how that decision was made, they cannot fulfill their legal obligation in the GDPR.So, big tech companies can say they trained their AI and it made an automated decision – but they must be able to explain exactly how the AI came up with that answer to be GDPR compliant.
- Consider the principles of data privacy rather than the actual definitionThe GDPR was established with a broad intention to protect individuals, rather than focusing on specific rules. Integrating this spirit into US privacy laws could provide a framework for addressing diverse scenarios, ensuring both consumer protection and organizational accountability – even as technology evolves rapidly.With this intentionality of protecting consumer data in mind, the onus is on businesses to follow through. Interestingly, US consumers are 55% more likely than EU consumers to believe data privacy should rest in the hands of companies.It’s important to note that GDPR’s role as a checks and balances system is crucial to it’s success and should be emulated in the US, especially as concerns about data security continue to grow.
The bottom line is that there should be a national legal standard set in the US that companies have to abide by to ensure that consumer data is being used in ethical and compliant ways. While the process of enacting a federal privacy law comes with hurdles, learning from GDPR’s successful elements could pave the way for a robust framework. Balancing adaptability with core ethical principles will lead the way to crafting a law that endures rapid technological change.
Join the conversation!