Oh say, can you see, by the dawn’s early light, a tsunami of epic proportions breaking over the shores of American regulation? In case you missed it, the change of government has washed over Washington in spectacular style. The prospects for a federal privacy law may now be as bleak as the chance of Rhossi the sea turtle making it home but is the picture for data protection in the states all doom and gloom?
Securys has obtained a sneak preview of new research (by commissioning it) which reveals that… the US is in danger of falling behind when it comes to data protection matters. While this may not appear shocking to the gum-chewing, gun-toting data protection hands who roam the plains of privacy in search of data protection laws like cattle to round up, our research has also found that the picture in the US is not as bleak as may be assumed from the absence of a federal privacy law, with the steady adoption of new state regulations undoubtedly a driver for many businesses.
Many US companies have spent some time and resource on a privacy infrastructure but there is a risk that these foundations are not being developed consistently by the practice of governance, with the research finding gaps in external audit, a dearth of the investment required to manage an active privacy programme and a disconnect between corporate insouciance about the adoption of AI and consumer concerns about how these tools are changing the way their data is being managed and manipulated.
This may reflect a sense of complacency, or perhaps simply a lack of awareness that compliance is never a ‘one and done’ affair. Privacy is a flower that needs cultivation to bloom in a changing environment. This is true everywhere but not least in the US, where new states are adopting privacy laws faster than government departments are shutting down: a lucky thirteen states now have active new privacy laws, with another three coming online this year.
Equally a more cynical view about enforcement and the lack of external drivers to adopt and promote better practice in privacy may lead to assumptions about the need for investment in data protection. Those of us practising practical privacy in other countries have seen a certain smugness among businesses against the backdrop of a weak enforcement environment, even in Europe, where the greatest impact has come from the actions of one little Austrian [please do your best to resist Godwin’s law here] rather than legions of regulators. That consumer-led approach is being seen increasingly in the US. The rise of privacy litigation, with over 2,500 privacy cases in US courts last year, coupled with some interesting questions about the extent to which privacy actions may be covered by insurance, suggests that there is little reason for American businesses to be sanguine about a lack of enforcement.
Those of us who can recall the time when a Doge was at the heart of a European superpower will recall that it was a byword for diplomatic sophistication in a multi-polar world as well as trading muscle [see, that European smugness appears to be catching] but things have moved from the era of medieval Venetian mercantile supremacy to an age of social media, crypto and AI that would leave Marco Polo in a hole of bewilderment.
Like the settlers who ventured into the Old West, those who manage privacy in US businesses today are beset by problems. As any data protection expert will tell you, the threat is less likely from without (in spite of what we may have been led to believe by the more dramatic retellings of popular culture) but rather from within: just as previous generations of settlers battled starvation and disease, so American privacy is threatened by a dearth of training and awareness, a lack of resources to detect and prevent harm and a gulf in governance.
What can one do in this situation? The traditional response, as shown in countless Westerns, is to saddle up – or in today’s vernacular, to lawyer up. This might give the same reassurance of the trusty Winchester across the lap of the person riding shotgun on the wagon train but when the threat is a shortage of clean water or beans, no amount of bullets can help. Those countless Westerns never showed the beans, though (unless you count Blazing Saddles, which appeared to show a surfeit…).
Many of those settlers were prospectors, of course, in search of wealth from gold, oil and more. Today it is the natural resources of people that are being mined and – as many of our forefathers discovered to their disadvantage – there is a lot of snake oil out there, as people’s data are being plundered recklessly. Will those who trust companies with their data recover it? The bankruptcy of 23andme shows the limits of litigation as recourse may be futile for those who wish to recover their sensitive data. Companies have a responsibility which transcends regulation or litigation, to do right by the people whose trust they have won.
Our research does not paint a picture of relentless woe, like a hurricane sweeping across the Gulf of [insert preferred name here], because it turns out that a commitment to privacy is not entirely contingent on the sticks of regulations and litigation; as we have seen before – and as our survey respondents recognise – the carrots of better engagement and consumer trust can be more than sufficient motive. As the FBI (no, not that one) put it so well…
… Manhattan, you got to do the right thing
Brooklyn, you got to do the right thing
And the Bronx you got to do the right thing
Queen's Island, you got to do the right thing
Long Island, you got to do the right thing
Staten Island, you got to do the right thing
On the West Coast, you got to do the right thing
Everybody, everybody in the world, you got to do the right thing