Data has long been an invaluable resource for businesses. Its worth has only grown tenfold in the 21st century, with big and small businesses adopting a data-centric approach to achieving their strategic objectives. The result has been unprecedented growth and the ability to cater to consumers’ specific needs, wants, and desires through a more personalized online experience.
At the same time, some actors have regularly attempted to exploit the mammoth volume of data being collected and processed. This is precisely why global data regulations exist, ensuring that all businesses and organizations collecting and processing users’ data undertake appropriate measures to ensure privacy and security.
The United States of America is one of the few countries that does not have comprehensive federal legislation on data protection. There have been constant rumors and even proposed draft legislations, but federal data privacy legislation in the United States has remained a distant possibility.
Data Privacy In the SOTU
Amidst this backdrop, the incumbent US President Joe Biden’s State of the Union (SOTU) provides a glimpse into possible future data protection legislation on a federal level. It is also worth noting that President Biden is the first president in recent history to consider data privacy a matter of national interest. In his first SOTU in 2022, he spoke of the need to “strengthen privacy protections, ban targeted advertising to children, [and] demand tech companies stop collecting personal data on our children.”
It is also worth noting that his predecessor Donald Trump did not comment on the topic during his tenure, while Barack Obama briefly touched upon the necessity of reforming the United States’ national surveillance programs following Edward Snowden’s National Security Agency leaks. This lack of emphasis on data privacy on a higher governmental level may reflect that the United States has had a tricky relationship with digital privacy. However, that would be only partly true.
“Privacy” in the US Throughout the Years
Throughout its history, the United States has had highly progressive policies for protecting its citizens’ right to privacy. Right from the country’s independence, one of the founding fathers and later Postmaster General of the US, Benjamin Franklin, introduced the policy of having all postal carriers’ saddle bags sealed, only to be unsealed at their destination.
This need for privacy became even more urgent with the introduction of the telegraph in the 1800s. Though only individuals with an understanding of the Morse code could realistically intercept and understand the messages being sent, it was considered a privacy risk, resulting in ciphers and encryption being used as a standard practice across the United States.
In 1917, an official request filed by the Bureau of Investigations to open mail to investigate possible acts of espionage and subversion was denied by Solicitor General Judge William Lamar, who noted that doing so would amount to privacy infringement on a nationwide scale.
Further down the line, with the ratification of the fourth amendment to the US Constitution, citizens were given the right to be secure against unreasonable searches and seizures by the government. In the landmark 1965 Supreme Court ruling in Griswold vs. Connecticut against Connecticut’s “Comstock law” that prohibited all forms of contraception, the Court ruled that the law violates individuals’ “right to marital privacy.”
The 20th century also witnessed the establishment of the Federal Trade Commission (FTC). Though the FTC’s primary purpose remains to regulate deceptive commercial practices, it has been the leading federal agency dealing with developing privacy policies and enforcing federal privacy laws.
Several key legislations and practices were adopted in the US in the 20th century to protect and fulfill Americans’ right to privacy. In this respect, an important development was the proposal by the US Department of Health, Education and Welfare of a set of privacy principles in the form of the HEW Report, called “Records, Computers and the Rights of Citizens: report of the Secretary’s Advisory Committee on Automated Personal Data Systems.” This led to the formation of the Fair Information Practices, a set of privacy principles that have since become the foundation for modern privacy legislation.
Moreover, significant privacy-oriented laws were introduced in distinct spheres, such as the Family Educational Rights and Privacy Act 1974 (FERPA), Children’s Online Privacy Protection Act 1998 (COPPA), Gramm-Leach-Bliley Act 1999 (GLBA), and Telephone Consumer Protection Act 1991 (TCPA). The most well-known privacy law within the United States, the Health Insurance Portability and Accountability Act 1996 (HIPAA), was also passed towards the end of the 20th century with the purpose of regulating the use, disclosure, and protection of health information.
The recognition of data privacy’s significance grew prominent in 1999 when then US President Bill Clinton, in his SOTU address, highlighted the privacy risks facing medical data and stated the following: “as more of our medical records are stored electronically, the threats to all our privacy increase. Because Congress has given me the authority to act if it does not do so by August, one way or another, we can all say to the American people, ‘We will protect the privacy of medical records, and we will do it this year.”
The following year in his final SOTU, Clinton highlighted the need for financial data privacy, stating that efforts were underway to protect the privacy of banks, credit card records, and other financial statements.
Privacy in the 21st Century
By the start of the 21st century, the United States began undertaking reasonable measures to ensure its state apparatus kept pace with the evolving digital landscape.
The E-Government Act of 2002 was passed to promote the use of electronic government and provide enhanced access to government records and services. A standout feature of this legislation was requiring all federal government agencies to perform a Privacy Impact Assessment (PIA) for any new technology, mechanism, or feature that required collecting, maintaining, or disseminating personally identifiable information (PII).
While the privacy legal landscape did not see much subsequent development on the federal level, certain states in the US introduced privacy legislations for different purposes, such as the Internet Employment Privacy Act of Utah, which prohibits employers from asking employees or applicants to disclose their usernames or passwords that allow access to the individual's personal Internet account, and the Delaware Online Privacy and Protection Act that strictly regulates advertising directed at children while requiring privacy policies on all websites.
However, California has been by far the most active state in this regard. The privacy-oriented legal overhaul in the state started with the California Online Privacy Protection Act of 2003, the California Electronic Communications Privacy Act, and California’s 'Shine the Light' law (CA Civil Code § 1798.83 - requiring businesses to disclose on consumers’ request the personal information shared to third parties and the details of such third parties). By 2020, California had passed the California Consumer Privacy Act (CCPA), a landmark data privacy law that was later substantially amended by the California Privacy Rights Act (CPRA) at the start of 2023.
In addition, a few other states, that is, Utah, Colorado, Connecticut, and Virginia, have enacted their own data privacy laws with various obligations for businesses to comply with. The start of 2023 has also witnessed a floodgate of proposed legislation in the domain of data privacy and protection, reflecting the growing significance of protecting data in the ever-changing technological landscape.
Learn more about the Consumer Privacy State Laws Across the US.
What Next?
Ahead of President Biden’s SOTU, the White House released a Fact Sheet. It elaborates on several points the President raised in his address, noting that “there should be clear and strict limits on the ability to collect, use, transfer, and maintain our personal data, especially for sensitive data such as geolocation and health information, and the burden must fall on companies — not consumers — to minimize how much information they collect.”
The President wanted to cover several other technological aspects, such as algorithmic transparency. However, those parts were eliminated from the final address while data privacy remained a central point.
It is important to highlight here that a draft federal data protection law called the American Data Privacy and Protection Act (ADPPA) was released on June 3, 2022, seeking bipartisan support. The draft legislation lays down important consumer rights and imposes obligations on businesses concerning collecting, processing, and transferring personal data.
Moreover, the FTC has also launched a rulemaking process on commercial surveillance and data security, which is bound to impact every internet entity. However, it remains to be seen how the President’s remarks in the SOTU and the foregoing proposed measures translate into future legislation and policies in the field of data protection and privacy in the US.
Learn more about the proposed American Data Privacy and Protection Act.
How Can Securiti Help
Even in the absence of federal data protection legislation, organizations in the US are obligated to comply with a slew of privacy laws and rules. As noted, while the obligations these regulations place on organizations are relatively straightforward, manually attempting to comply with them may spell a logistical nightmare.
This is why automation is critical to seamless and effective compliance.
Securiti is a market leader in providing data privacy, security, compliance, and governance solutions to help organizations honor all their obligations and requirements per any major global data regulation.
Request a demo today and learn more about how Securiti can help you in your compliance journey.
