No Better Time to Propose U.S. Consumer Data Privacy and Security Act

In the wake of what seems like ongoing high-profile data breaches, such as Marriott and Equifax, consumer awareness surrounding data privacy and cybersecurity is steadily gaining traction. This should come as no surprise as the notorious Equifax hack alone saw the personal details of over 140 million people exposed.

As other states and nations grappled with the increasingly urgent issue of data security, the European Union was among the first to take the lead on the issue by establishing its General Data Protection Regulation (GDPR) that went into effect in 2018.

The state of California has since followed by enacting its own California Consumer Privacy Act (CCPA) in 2020, that was designed to foster proper data privacy practices within its jurisdiction. The implications resulted in a nationwide ripple effect that primarily impacted organizations that operate or do business within the state.

Although both the GDPR and CCPA have imperfections, each were designed to meet the growing need for widescale privacy regulation. Now, legislation has been introduced in the U.S. Senate to set forth the framework for federal data compliance regulations in the U.S.

The federal Consumer Data Privacy & Security Act (CDPSA) was recently introduced by Kansas Sen. Jerry Moran. The bill was shaped by the now infamous Senate hearings that saw Facebook, Yahoo! and Equifax brought front-and-center to address data privacy concerns. Resulting from these hearings, the CDPSA aims to set clear expectations for data privacy protection at the federal level.

This legislation is much needed, and urgently, as other states look to establish their own individual privacy regulations. But, why is this needed so urgently and on a national level?

First, the CDPSA would give people more control over their personal identities. This means empowering the average internet user to access and control their own personal data – even including the ability to correct and erase as necessary. As it stands, personal data such as DNA currently is not technically owned by the individual. Legislation like the CDPSA potentially could make progress toward solving that problem.

Second, data compliance regulations like GDPR have been proven to stimulate the economy. The Center for Information Policy Leadership (CIPL) published a whitepaper in 2019 on the topic of benefits and challenges in GDPR year one. Among their findings, the authors reported that businesses benefited in a number of ways. Examples of these benefits include improved vetting in B2B negotiations and enhanced cyber defenses to increase the efficiency of dealing with potential breaches – as well as the associated costs.

Third, proposed privacy legislation like the CDPSA are simply the next logical step. Where this act falls short of GDPR is that like all US laws, it fails to recognize that the ownership of private data is that of the individual.

The mindset of private data is that it is only data which has a monetary value that can be bought and sold. This act brings a national recognition that private data is important to protect, but fails in defining the ownership of that data to the individual. This will remain the greatest roadblock to privacy in US.

There’s no arguing that consumers should have a say in how organizations use their data. The CDPSA is a step in the right direction and could give more power to individuals with regard to protection and data collection, but not its privacy.

For example, the CDPSA would prohibit organizations from collecting personal data without the consent of the individual. It also would require organizations to have rigid data security protocols in place, which is essential to keeping private data from getting into the wrong hands – such as the case with the Equifax data breach. In all of its wording, the act fails to recognize that the company never owned that data in the first place and bares all liability of its mishandling and theft.

While there’s no guarantee that the current version of the CDPSA will be enacted, it’s already proven successful at getting the ball rolling for overdue individual privacy protections at the federal level. It’s important that policy leaders continue to shine the light on this topic until the proper framework is in place to give consumers some peace of mind when it comes to personal data privacy and security. Even if the CDPSA isn’t enacted immediately, it’s a much-needed step in the right direction.

What’s Hot on Infosecurity Magazine?