Greetings from Portsmouth, NH!
It seems like every week we're discussing new developments in U.S. privacy law, and no doubt we'll continue to do so this week. In what was practically inconceivable a few years ago, trends indicate that we may well see a federal regulation in the next year or so. To me, at least, this possibility is mind-blowing.
A week after the U.S. Chamber of Commerce presented its blueprint for a privacy framework, the Internet Association — which represents some of the biggest tech players in the world — announced it supports a federal U.S. privacy law. Undoubtedly, the motivating factor for both organizations here is preemption of the California Consumer Privacy Act of 2018 and any other state that aims to borrow from the CCPA. It's worth noting, however, that the association does support data portability. Internet Association President and Chief Executive Officer Michael Beckerman said the organization "would be very active working with both the administration and Congress on putting pen to paper."
Separately, Sen. Mark Warner, D-Va., who is increasingly embedding himself in the privacy world just weeks after releasing an in-depth policy paper on privacy, said a broad bipartisan congressional majority would likely support regulation of social media. "Depending on how we frame it, I think we'd have an overwhelming majority," he said. Though some of the issues motivating lawmakers to regulate social media — misinformation, election manipulation and the proliferation of "fake news" — do not overtly involve the privacy office, there appears to be some overlap.
If you're working in the privacy office, but are getting more involved in content moderation in any way, I'd love to hear your thoughts on this burgeoning and complex area.
It's also worth pointing out that just months after stunning the privacy world with the CCPA, California is by no means done. Last week, the state legislature approved what may be the first regulation of the internet of things, pending the governor's signature. SB-327, also known as "Information privacy: connected devices," introduces security requirements for IoT devices sold in the U.S, and that includes any device connected to the internet.
I mean ... that's A LOT of devices, right? And, yes, you may have guessed that the regulation includes "reasonable security" to make things clear as a bell.
In a blog post, the Information Accountability Foundation's Marty Abrams recently described the evolution of privacy law as a cascade of four waves. The initial wave came about in the 1970s with the Privacy Act, the OECD guidelines, the U.S. Fair Credit Reporting Act, among others. Wave two took place, he contends, in the 1990s with the first EU directive, and the U.S. federal health regulation, HIPAA, among others. The EU General Data Protection Regulation is wave three, and we're about to head into wave four, which "will take the positive innovations in the GDPR and add processes that let society benefit from the data-driven [fourth industrial revolution]." What do you think: Are we ready for this fourth wave?
Before I wrap things up, I also want to send our well wishes to everyone who is affected by Hurricane Florence. Our thoughts here at the IAPP are with you. Be safe out there!
If you want to comment on this post, you need to login.