For years, American consumers have watched their credit card numbers, social media details, even dating profiles leak from one major outlet or another. The Equifax data breach, Cambridge Analytica scandal, and leaks from trusted brands like Target have all fueled a push by privacy advocates to give consumers more control over their data. 2021 is likely to be their year.
This year, not only does a single party control Congress and the White House, but noted privacy hawk Kamala Harris wields the tie-breaking vote. Add to that a rare wave of bipartisan support overall and you can bet a big push for a federal data privacy law is coming to the U.S., and not a moment too soon. Many of the federal laws governing data privacy and security are woefully out of date. In fact, most of the existing federal statutes the regulators cite to enforce online data privacy were signed into law before the dawn of the modern internet.
We took a look at the patchwork of state and international laws that now govern data privacy to see what might be coming down the pike. Here's what to expect:
A new federal agency
Right now, data privacy falls under the Federal Trade Commission. Brought into existence more than 100 years ago by lawmakers who couldn't have envisioned a simple pocket calculator, let alone the current online data economy, the FTC would need a major overhaul, or at least a totally new toolkit, to manage online data privacy.
Federal changes are coming as the Federal Communications Commission (FCC) announced that Commissioner Jessica Rosenworcel has been selected by President Biden to serve as Acting Chairwoman of the FCC. She has served at the FCC since 2012.
Similarly, the Federal Trade Commission (FTC) announced that Commissioner Kelly Slaughter has been designated as Acting Chairwoman of the FTC. Acting Chairwoman Slaughter has been a FTC Commissioner since 2018 and served as Chief Counsel for Sen. Chuck Schumer (D-NY) prior to joining the FTC.
A new regulatory agency would be a key piece of any Democratic proposal, according to Yory Wurmser, principal analyst at eMarketer. "Republicans want federal laws to supplant state privacy laws, such as California's CCPA and CPRA. They oppose giving individuals the right to sue if there's a data breach or other violation," he says. "The Democrats are the opposite, and they go further in the types of data protections they want. Some have even proposed a national data protection agency"
Wurmser points to Ohio Senator Sherrod Brown's proposal as a good example of the Democrats' opening position. He's proposed the Data Accountability and Transparency Act (DATA), which would create a federal agency to serve as a clearinghouse for data privacy complaints. The office would also have the power to set data privacy compliance standards and certification requirements, giving businesses a set of rules that would supersede individual state requirements. But it would also likely have the power to impose fines and requirements that marketers aren't likely to love.
Data Credentials for Businesses and Execs
The data ecosystem of today is a freewheeling place which will continue to evolve over time. Companies collect way more data than they could ever use and that data is controlled by executives with no background in data management. Expect that to change under most of the new privacy proposals being floated. Plans proposed by leaders like New York Senator Kirsten Gillibrand would give a federal data privacy agency the power to issue certifications and other credentials for businesses that want to use data.
Businesses, and in some cases their senior executives, would need to demonstrate that they were fully compliant, and fully competent to manage large amounts of consumer data before being certified to run a data-driven business. While no one is proposing the businesses or executives need to be licensed to handle consumer data, they would need to prove that they have a good reason to do so.
That would mean outlining exactly what they plan to do with customer information before it's collected, and proving that they were willing and able to give that data a reasonable amount of protection to prevent leaks and breaches. While no regulation is foolproof, data executives will need to undergo at least as much training as the average tattoo artist or cosmetologist.
Expansion how the law defines personal, private data
Brown's proposal also contains the seeds of what will likely be another key feature in a national data privacy law. DATA would dramatically expand what counts as personal and private data. Currently, federal law only covers the kind of private information that was likely to be collected back when Congress took its last swing at passing privacy regulations—in the mid 90s. That includes data like addresses, phone numbers, and health records.
A lot has changed since the last days of dial up. Brown's law would ban the use of facial recognition technology and classifies facial data as well as other biometric data points like fingerprints as "personal and private." This would require businesses that collect this data to offer consumers the same rights afforded to other forms of private information and would stiffen the penalties for failing to secure and protect biometric data from hacks and breaches. In a world of deep fakes, consumers will likely be glad to know that their faces are at least as secure as their phone numbers.
Consumers may opt-in, not out
Perhaps the biggest change on the horizon from a marketer's perspective is the transition from an opt-out world to an opt-in world. Most stringent privacy rules in the U.S. offer consumers an opportunity to proactively opt out of having their data collected, stored, and used for business purposes. Consumers who want to take advantage of these rules need to first know about them, and then be able to track down the individual opt-out forms required in order to have their data deleted, suppressed, or no longer collected.
A new national privacy law will likely turn this requirement on its head, putting the onus on businesses to get consent before they collect data rather than waiting for users to actively opt out. This is a central tenet of the European Union's General Data Protection Regulation (GDPR) that privacy advocates hope will make its way to the United States. In practice, this will mean that businesses will have to get better at explaining why people should choose to share their data, rather than simply discouraging them from opting out.
The Need to Demonstrate Value
If consumers need to choose to be tracked, then marketers will need to find ways to make that prospect more attractive. According to Yory Wurmser, "They will need to adjust to gaining consumer opt into data tracking…They will need to make a clear case why they need consumer data, whether it's purchase data or other signals of consumer intent. They'll need to really define for themselves which data they need and why, and then they need to convince consumers to let them track it."
While studies have found that consumers value some of the outputs of data tracking, like greater personalization, it's likely that too few people will opt in to maintain the status quo. Marketers will have to find other ways to deliver ads to the right people without collecting unlimited data on most of the population.
Wurmser notes that Google and Apple have already made this type of advertising, until recently a staple of the digital marketing ecosystem, much more difficult by deprecating third party cookies and identifier for advertisers (IDFA). Essentially, they gave marketers and tech vendors a preview of what a world with a unified federal approach to privacy might look like, forcing them to find new ways to approximate targeted marketing without consumer data.
