In the US, privacy and data protection continues to be a hot topic at both the federal and state levels, with legislation and regulations expected to continue to evolve in the years ahead. Despite knowing that regulatory requirements and expectations may shift, several leading financial institutions are proactively taking action to create customer-centric privacy and data protection programs. For many of these organizations, this is a strategic decision; they recognize that by operationalizing privacy and data protection regulations now, and showing a willingness to adapt as rules change, they can stand out from their competition and build stronger trust with consumers.
To help companies become more strategic in understanding and managing data protection and privacy issues, this article provides a brief overview of existing privacy regulations, highlights a number of challenges associated with enacting privacy regulations in the US, and provides insights into how companies can operationalize privacy regulations even in an evolving environment.
Existing Privacy Regulations in the US
Protection of consumer privacy has been an important issue in the US for many years, although regulators at both the federal and state levels have struggled with how best to protect consumer data and privacy in an age where data and data analytics tools are only growing more prolific.
At the federal level, the 1996 Health Insurance Portability and Accountability Act (HIPAA)—which focused on the healthcare sector—and the 1999 Gramm-Leach-Bliley Act (GLBA)—which focused on financial services—both highlighted a significant focus on privacy.
More recently, the state of California has been a leader in terms of enacting comprehensive data protection and privacy regulations in the US. The California Consumer Privacy Act (CCPA) was first introduced in 2018 and enacted in 2020. The CCPA is focused on providing transparency in how companies are using consumer information and on providing consumers with control over how companies collect and use their data. Under the CCPA, consumers have a number of rights, including the right to know what information a company is collecting about them, to access their personal information, to opt out of the sale of their personal information, and to not be discriminated against should they use any of their data protection rights.
In November 2020, the California Privacy Rights Act (CPRA) was passed, strengthening the state’s privacy and data protection rules even further. The CPRA, which is referred to by many as CCPA 2.0, highlights the rapidly evolving nature of privacy and data issues; despite the CCPA being enacted in 2020, the CPRA will supplant it on January 1, 2022.
In early 2021, other US states, including New York and Washington, renewed their efforts to introduce privacy and data protection regulations. In January, New York saw several privacy bills introduced, including Senate Bill S567 and Assembly Bill A680—the New York Privacy Act (NYPA), while Washington introduced the Washington Privacy Act as part of its third attempt to enact privacy regulations. Most recently, Florida has introduced Consumer Data Privacy Bill (HB-969), which includes consumer rights and data privacy obligations for certain businesses that use consumer data. Other states are also expected to increase their focus on privacy and data protection during 2021.
Key Challenges with Enacting Effective Privacy Regulation in the US
While other states have taken steps to follow in California’s footsteps, there are several challenges with respect to enacting effective privacy regulation. These challenges relate to both the development of data protection and privacy regulations and the ability of organizations to implement new rules effectively.
Regulatory Development Challenges
One of the key barriers to enacting data privacy and protection regulations effectively across the US is the fact that every state’s approach to data and privacy is different, based on their specific goals and objectives. Key challenges with developing privacy regulations often include:
Supporting effective enforcement. Agreeing to enforcement mechanisms is often a critical roadblock when it comes to passing data and privacy rules, with disparate views over how best to ensure regulations have appropriate teeth. For example, ensuring that legislation has clear language that can be used as a basis for the state’s attorney general to take enforcement action.
Allowing for correction. Pushback on legislation has also come from regulations not giving companies the ability to rectify situations where data has been mishandled before legal action is taken. Washington’s newest version of its privacy legislation includes a “right to cure,” embedding the ability of companies to rectify issues prior to regulatory escalation.
Determining whether a private right of action should be included. A private right of action allows anyone who feels legally aggrieved to sue the business that is collecting personal information. Whether or not to include a private right of action is a major sticking point for many states considering legislation—and for the development of federal legislation as well. Different stakeholders are concerned that a private right of action could negatively impact how companies implement privacy and security programs.
Confirming data retention requirements. Different regulations require that companies only retain data for a specific time period or use. For example, the EU’s General Data Protection Regulation requires that the personal data of EU residents only be retained for as long as is strictly necessary. This less prescriptive requirement recognizes but may not account for the fact that different jurisdictions have additional rules that might affect data retention (e.g., length of time data must be retained for tax purposes).
Many companies in the US already juggle data privacy requirements—a task only expected to become more difficult as regulations evolve. An ever-changing patchwork of rules creates major challenges with respect to a company’s ability to create compliant data privacy and protection programs. For example, key challenges from an implementation perspective include:
Understanding data being collected today. The biggest challenge for many financial institutions is understanding their existing data—both the data they are collecting today and the data that exists within their legacy systems and databases, in addition to how the data is used, stored, and moving in and out of the organization. Without this understanding, it can be difficult for organizations to develop a strong compliance program that considers the different requirements within different jurisdictions.
Making sure operators understand shifting terminology and requirements. Many operators still focus on Nonpublic Personal Information (NPI) under Regulation P of the GLBA, whereas now they may need to focus on PI as defined by the CCPA—which is a larger category with broader applicability. If the operators responsible for key compliance activities do not understand what rules have changed—or will change in the future—and how it affects their day-to-day work, ensuring compliance can be a major issue.
Understanding compliance whether acting as a data controller or as a data processor. Many companies are confused as to what is required for compliance purposes when acting as a data controller versus a data processor under a data processing agreement. It is important for companies to understand the additional measures that they can ask for if they are on the controller side or that they can provide if they are on the processor side.
Confirming when consent is valid for data processing and when additional consent is required. Consent for data processing should be freely given and not considered an obligation. To this end, rules around consent for data usage should consider the relationship between the company and the individual (e.g., employer and employee, service provider with customer), with additional layers of consent defined based on those relationships—particularly when the data user holds a disproportionate amount of leverage over the data provider.
Determining what constitutes data transfer. Data transfer requirements and restrictions are a complex and confusing issue, particularly for companies that operate globally, as rules may not be the same between jurisdictions. For example, whether routing data through a third country constitutes “transfer” of data or providing only viewing rights to a processor in a third country should be considered transfer of data are not always very clear across the regulations. Numerous stakeholders are pushing for federal legislation related to data protection and privacy in order to coordinate requirements across the US and make it easier for consumers to understand their rights and for organizations to comply.
Operationalizing Privacy Regulations in an Evolving Environment: Where to Start
Many financial institutions in the US are using CCPA as a steppingstone for building out their compliance strategy. Rather than focusing on applying rules where they are currently relevant, these companies are proactively working to enable broader implementation and the flexibility to adjust course as new regulations arise.
For example, one major US financial institution is not only taking data access and data deletion requests from customers covered by the CCPA regulation, but also from those covered by the GLBA exemption. The organization is doing this because it believes it is important to have an enterprise-level data protection and privacy program under which all customers are being treated similarly—whether from California or not.
Based on the experiences of leading financial institutions, there is a lot that US companies can do now to operationalize existing privacy regulations while laying the groundwork for future success. As a starting point, companies should consider the following activities:
Make privacy a strategic goal: Companies should make data protection and privacy a strategic goal, rather than a compliance issue. This means taking time to understand customers’ needs and expectations and creating a response that contributes to the organization’s overarching customer value propositions.
Consider data management and governance across the organization: Companies should step back and assess their entire data management and governance approach from a privacy perspective to ensure it aligns with customer expectations, regulatory requirements, and expected future needs. This means evaluating how the company collects, manages, communicates, shares, and retains customer information. Such a holistic approach can help companies embed data protection across all operational activities and service providers.
Establish accountability at the board level: Creating board-level oversight and accountability for data protection and privacy programs can help companies create a culture where consumer data and privacy is prioritized. For example, including regular reporting by the chief information security officer to the board can help companies keep data privacy a top priority.
Build understanding and buy-in across the organization: Companies should work to cultivate a culture where employees understand and buy into the importance of data protection and privacy both from a consumer perspective and from a regulatory perspective. This means communicating with operational staff regularly and providing education related to privacy and data security principles, programs, and regulatory changes so they understand how changes affect their day-to-day activities.
Implement programs that are flexible and scalable: Privacy and data regulations will continue to evolve, so companies should focus on creating programs that are flexible and scalable so they can adapt even as new state or federal regulations evolve.
By showing an awareness of customer concerns about privacy rights and embedding privacy and data ethics within their organizational processes, reporting structures, and communications, companies can create stronger, more positive relationships with their customers—which will only help their organization thrive long term.
Potential Implications of Biden Administration
The near-term priority for the new administration is to finalize the new Privacy Shield, considering EU-US data transfer remains in limbo. When Gina Raimondo, US Secretary of Commerce, appeared before the US Senate as part of her confirmation process, she also agreed on prioritizing the Privacy Shield agenda. Additionally, we anticipate the new administration and regulators such as the Federal Trade Commission and the Consumer Financial Protection Bureau as well as state attorneys general to take a more aggressive regulatory approach and related enforcement action as it relates to data privacy.