It's been two years since Congress asked the General Accounting Office (GAO) to review whether a federal privacy policy makes sense for the United States.
The GAO says 2019 could be a good year for Congress to pass an internet privacy law that applies to businesses and consumers in every U.S. state. The GAO cited Facebook privacy scandals, a lack of ability to issue civil penalties in many cases, and recent privacy laws in Europe (GPDR) and California (CCPA) to support its reasoning—in addition to outlining specific areas of privacy risk.
GAO report conclusion: timing is right for national privacy law
You can read the 56-page letter from the GAO to Congress on federal privacy for yourself, or here is the gist from the report's conclusion:
"Recent developments regarding Internet privacy suggest that this is an appropriate time for Congress to consider comprehensive Internet privacy legislation.
Although FTC has been addressing Internet privacy through its unfair and deceptive practices authority, among other statutes, and other agencies have been addressing this issue using industry-specific statutes, there is no comprehensive federal privacy statute with specific standards.
Debate over such a statute could provide a vehicle for consideration of the Fair Information Practice Principles, which are intended to balance privacy concerns with the need for using consumers’ data.
Such a law could also empower a specific agency or agencies to provide oversight through means such as APA section 553 rulemaking, civil penalties for first time violations of a statute, and other enforcement tools.
Comprehensive legislation addressing Internet privacy that establishes specific standards and includes APA notice-and-comment rulemaking and first-time violation civil penalty authorities could help enhance the federal government’s ability to protect consumer privacy, provide more certainty in the marketplace as companies innovate and develop new products using consumer data, and provide better assurance to consumers that their privacy will be protected."
Should organizations still prepare for California privacy act if federal legislation is possible?
With a national privacy policy seeming more likely now in the United States, should organizations still spend time and effort preparing for the California Consumer Privacy Act?
We interviewed Lothar Determann about this at a recent SecureWorld conference. Determann is a partner at Baker & McKenzie and a privacy law professor.
"What I tell my clients is that the work of preparing for this [California law] and having a strategy on this topic is not going to be wasted.
I think companies are going to be held more accountable how they’re going to be sharing what information with whom. They’ll have to have robust contracts on this and reassess whom they want to do business with and under what circumstances."
Watch our complete interview on 3 Things Every Organization Should Know about California's New Privacy Law:
