Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/24/2021
01:00 PM
Rob Shavell
Rob Shavell
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What a Federal Data Privacy Law Would Mean for Consumers

With an array of serious proposals from both sides of the political divide, it looks as though the US may finally have a national privacy law.

For better or worse, the United States is an outlier across many global metrics, and its approach to consumer privacy is no exception. While most nations are in the process of enacting or strengthening federal privacy laws, the United States is set to become one of the few major global economies without federal online privacy protection. For consumers whose personal information is frequently blatantly abused, this situation needs to change.

Fortunately, in 2021, we are likely to see the first significant push toward a true federal data privacy law in our nation's history. While the adoption of the GDPR in the European Union, the world's largest trading bloc, in 2016 may have made a US equivalent historically inevitable, this push is also driven by tailwinds coming from the state level.

Related Content:

What Can Your Connected Car Reveal About You?

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

Over the past year, privacy legislation achieved widespread political and public support in a diverse range of states. In California, the most populous state by far, the California Privacy Rights Act's (CPRA) landslide victory in November highlights the public's growing appetite for privacy protection. However, with 75% of Americans saying they want more privacy protection online, it's clearly not just Californians who feel strongly about their online privacy.

What a Federal Privacy Law Might Look Like
With an array of serious proposals from both sides of the political divide, some form of federal privacy law now looks like an inevitability. While far from the only privacy-focused bills currently under consideration, the COPRA and the SAFE Data Act show two different views of what a federal privacy landscape might look like.

On one side of the political debate over privacy, the Consumer Online Privacy Rights Act (COPRA), sponsored in late 2019 by Democratic Sen. Maria Cantwell of Washington, outlines a GDPR-esque privacy environment for the United States. Much to the chagrin of big tech, COPRA would allow consumers to opt out of their data being collected and shared and give individuals the right to sue any organizations that violate their data privacy rights directly. If adopted, the COPRA would also stand in addition to any existing state legislation. This provision means that laws like CPRA would still stand, and the COPRA would not preempt further state-level privacy legislation.

An alternative, more "business-friendly" version of what a federal privacy law might look like can be seen in the SAFE DATA Act. Proposed by a group of GOP senators led by Mississippi Sen. Roger Wicker, SAFE DATA outlines a less stringent vision for federal privacy legislation. Under the SAFE DATA Act, each state's attorney general would enforce online privacy legislation alongside the Federal Trade Commission. The SAFE DATA Act would also make federal legislation take precedence over any existing and future state-level laws and not allow individuals to take action against companies directly.

What Federal Privacy Legislation Needs to Deliver for Consumers
While the two acts mentioned above highlight differences in political opinion about federal legislation, a pragmatic approach to privacy is wise. In my opinion, the best privacy act under consideration is the one that can pass into law. Although what our nation needs now is a strong precedent for federal privacy protection, future amendments and improvements are what will deliver both greater consumer privacy and other benefits like the following.

1. A More Streamlined Online Experience
Americans have an average of 27 online accounts that require different passwords and share users' email addresses and personal info with hundreds of third parties. A federal privacy law would provide the ability to opt out of many of these by removing the need to form a long-term relationship for a one-off transaction.

By requiring a smaller number of online accounts to access the same services, a comprehensive piece of federal privacy legislation would create a far more streamlined online experience. The fewer online accounts you need to access online services, the safer your personal information is.

2. More Choice of Services and Providers
As any federal law is likely to result in a uniform regulatory environment around privacy, businesses would not have to treat customers differently based on their location.

If American privacy laws harmonize with the European GDPR standard, it would also enable greater ability to exchange data internationally. With a single data-privacy standard, Americans could shop more confidently with a broader range of vendors, knowing that every service is subject to the same regulatory regime.

3. Leveraging Your Privacy Preferences
By choosing to "opt in" or "opt out," consumers would be able to leverage the value of their personal information when dealing with businesses. This new freedom could open up new business models and offerings for customers willing to allow companies to use their data.

Final Thoughts
In 2021, privacy is going to be high on the agenda for both the Biden administration and its political opponents. However, while the details of any potential federal legislation are important, the precedent may be more vital. While the first instance of any law will undoubtedly be imperfect, any federal regulatory framework is better than none at all.

Rob Shavell is CEO of Abine/DeleteMe, The Online Privacy Company. Rob has been quoted as a privacy expert in the Wall Street Journal, New York Times, The Telegraph, NPR, ABC, NBC, and Fox. Rob is a vocal proponent of privacy legislation reform, including the California ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Richard F.
100%
0%
Richard F.,
User Rank: Strategist
3/25/2021 | 2:41:48 PM
Federal Privacy Law - State AGs & FTC Ineffective - More Important Priorities
I am a Conservative, but I have also been a Judge, Prosecutor and Deputy AG.  The AGs are primarily state CRIMINAL LAW ENFORCEMENT agencies.  The "Civil Departments" and civil litigation are low priority.

Consumers must have the right to individually enforce their stautory rights for them to be real, effective and actually enforced.  Otherwise those "rights" inevitably go into the black hole of the bureaucracy to die.  Rare, occassional, if and when the bureaucratic timeservers feel like it, enforcement is worthless. 

We would all welcome any AG that would actually join into litigation.  FTC action is so rare and unhelpful to consumers that complaining to it is a complete waste of time, ink and electrons. Consider how effective the FTC is for "Do NOT Call" law "enforcement"?  

Conditioning enforcement on action by the bureaucracy is useless and will eviscerate any supposed "rights."  That is no doubt an unspoken, unacknowledged aspect of the "SAFE DATA Act" that makes it desirable from the tech and advertising companies viewpoint. Their "affiliates" have NO legitimate reason to have my data. Period!!! 

Many consumers, Conservative, Moderate and Liberal all agree that we LOATHE advertising and detest "data aggregators."  Restoring personal control over our own information and the ability to individually litigate to enforce our rights will compel compliance.  Vesting exclusive enforcement in the bureaucracies is what Rush Limbaugh used to call, "an exercise in self entertainment."  

 

 
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23369
PUBLISHED: 2021-05-10
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor 1.4.3.3.
CVE-2020-23370
PUBLISHED: 2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/1.4.3.3/php/controller.php action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
CVE-2020-23371
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf in noneCms v1.3.0 allows remote attackers to inject arbitrary web script or HTML via the movieName parameter.
CVE-2020-23373
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
CVE-2020-23374
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.