Implementing a uniform federal data protection law has been a growing topic across the country in recent years. There has been a significant push in the United States to establish a national standard data privacy protection law to protect consumers' data. However, data privacy laws in the U.S. continue to be implemented and regulated on a state level.
The Covid-19 pandemic has had a significant impact on the movement to create a national data protection law. In September 2020, the U.S. Senate held a hearing on the need for Federal Data Privacy Legislation. The hearing had a focus on how the Covid-19 pandemic has affected consumer data privacy across the nation. The pandemic has intensified the discussion and possibly the demand for a national data privacy protection act.
Individual states have been left to police the data privacy landscape themselves without a uniform federal regulation. With the California Consumer Privacy Act (CCPA) implementation, states like California have cracked down on data privacy regulations to further protect their consumers and hold their businesses accountable. The CCPA provides California residents new privacy rights regarding their personal information collected by companies operating in the state.
To date, three states, including California, have enacted data privacy laws. In July 2021, Colorado passed SB 190, the Colorado Privacy Act (CPA), which will go into effect on July 1, 2023, giving businesses nearly two years to become compliant. In addition, Virginia passed SB 1392, the Consumer Data Protection Act, which will go into effect on January 1, 2023. As a result of recent state legislation, businesses that operate across the country find it more challenging to remain compliant with new state-level data privacy laws.
While the U.S. doesn’t have a singular federal law that covers all types of data, it instead has implemented several federal laws including the Health Insurance Portability and Accountability Act (HIPPA), the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach Bliley Act (GLBA), the Electronic Communications Privacy Act (ECPA), the Children’s Online Privacy Protection Rule (COPPA), and the Video Privacy Protection Act (VPPA). These regulations cover only specific types of data and categories of information in particular circumstances.
The combination of state-level regulations and the narrow data laws that the U.S. has in place has made the data landscape more confusing for individuals concerned about their protections. In addition, the current data landscape has made it more difficult for businesses to remain compliant.
The U.S. may soon follow the trend of several countries and regions that have implemented common data privacy laws and regulations.
China recently passed its first significant data protection law in August 2021, the Personal Information Protection Law (PIPL), which goes into effect on November 1, 2021. The law covers the processing of consumer information of individuals located in China and when that information is processed outside of the country. The PIPL is similar to the EU’s General Data Protection Regulation (GDPR), which was approved in April 2016, and went into effect until May 2018. To date, nearly 20 countries have followed the EU’s trend and have established a data protection law similar to the GDPR.
These recent international developments highlight the importance of data privacy protections on national and global scales. As more countries around the globe put national data privacy regulations in place, the pressure on the U.S. to follow suit continues to grow.