With over 90 percent of people in the United States feeling as though their data is out of their hands, it should come as little surprise that many are looking towards the European Union’s General Data Protection Regulation as inspiration. However, how close is the United States to passing this kind of legislation… and how will smaller businesses fare if (or when) some is passed?
Under the GDPR - which came into effect on May 25, 2018 - any companies that have collected data on a resident of the European Union are then responsible for protecting that data. Furthermore, the GDPR grants these residents a far higher level of access and control over the data that organizations possess.
According to a poll, data privacy has become a bigger priority for 73 percent of respondents, 64 percent stating that they felt the security of their data was worse than it has been in the past. 80 percent want the ability to learn who has purchased their data, while 83 percent want the ability to veto an organization’s ability to sell their data in the first place. 64 percent also stated that they want the ability to have this data deleted.
Governing bodies at different levels have had different reactions to these demands. For instance, the state of California has already passed the Consumer Privacy Act (CCPA) - a piece of legislation that the House of Representatives' Consumer Protection and Commerce Subcommittee isn’t too fond of, as its position is that there needs to be a singular piece of legislation at the federal level to protect data. As of right now, data privacy is addressed in a combination of state laws and some proposed federal laws.
One of these proposed laws, the Data Care Act, spells out that (in addition to promptly alerting end users to security breaches) a service provider cannot legally share a user’s data without the receiving party also being beholden to the same confidentiality standards. Others include the Information Transparency and Personal Data Control Act, which requires transparency and personal control over data, the Consumer Data Protection Act, which could throw executives in prison for abusing data, and the American Data Dissemination Act, which sets a deadline for the government to enact privacy requirements upon businesses.
However, when the Consumer Protection and Commerce subcommittee met to discuss the prospect of a federal privacy law (which it was agreed was necessary), there weren’t any representatives for the average consumer - the ones whose data is really at stake. This reflects the hearings held last year by the Senate, also without consumer representation. Instead, technology companies were invited to participate during both sessions.
That being said, there is very little support among the committee for any regulations that are at all similar to the GDPR. One reason for this: the fear that small businesses will not find themselves able to afford the added cost of compliance.
For instance, there are a variety of potential burdens that such a measure could potentially impose upon small and medium-sized businesses. These burdens include:
It is worth noting that if your organization does business with people from the EU, you are responsible to adopt the privacy rules of the GDPR.
What do you think? Are laws like these necessary, especially given the cost they could put on small businesses? Have you had any data privacy concerns in the past? Share your thoughts in the comments.