Data Privacy is on the Ballot in U.S. Elections
 

This election year could have a big impact on U.S. data privacy policy. The issue is on the ballot in California, where the California Consumer Privacy Act (CCPA), a model for many other states, was just implemented in January 2020. And nationally, the election’s outcome could also determine the future of some 30 different data privacy proposals circulating on Capitol Hill.

As a practical matter, though, many American companies must already comply with a patchwork of old and new data privacy regulations and standards — whether at the state, national, international or industry level. Included are various requirements for:

• Designing data privacy protection into any new product or service;
• Implementing policies and procedures for sharing customers’ and employees’ information;
• Securing personal information as it’s created, stored, maintained, and transmitted;
• Reporting data breaches;
• And training personnel to handle personal data properly.

Much of the compliance work revolves around everyday business email, which is central to data privacy in two big ways. First, it’s one of the largest repositories of personal information that any organization holds. Second, business email is the most common trigger of data breaches that expose personal information.[1]

As privacy rules continue to take shape, technology market experts like the Gartner Group advise companies to be proactive — to build holistic, adaptive privacy programs instead of reacting each time a new jurisdiction institutes a new policy.[2] Technology is an essential component of these compliance programs, securing data and automating compliance.

The Data Privacy Landscape Is Shifting Again

The introduction of the CCPA set off a wave of data privacy initiatives across the country, with bills being considered in at least 30 states and Puerto Rico before the pandemic shifted priorities.[3] While the CCPA is already considered quite strict, questions about its enforcement mechanisms and other aspects prompted some privacy advocates to draft Proposition 24, now on the ballot in California.

If passed, Proposition 24 would expand on the CCPA in several areas. Those that could impact business email include stronger policies on minimizing the retention of personal information and the establishment of the California Privacy Protection Agency, adding another regulator to the compliance mix. Other major areas of focus include the use of personal information to target advertising.

Meanwhile, national election results could prompt a renewed push in Washington for a comprehensive national data privacy policy. More than 30 data privacy bills have been filed in the past two years, according to the Brookings Institution, a think tank.[4] The two bills with the greatest momentum are sharply different, Brookings says, but they do agree on significant issues such as data minimization.

Added to the mix are privacy policies across different sectors. The Health Insurance Portability and Accountability Act (HIPAA) has long governed healthcare companies. Financial services companies must answer to government and non-government agencies such as the PCI Security Standards Council and New York State Department of Financial Services.

The 2020 election’s outcome could determine which, if any, will move forward: Democratic presidential candidate Joe Biden has suggested that the U.S. should have a national privacy law that sets standards similar to Europe’s General Data Privacy Regulation (GDPR), while President Trump has yet to weigh in.

Globally, ‘Modern’ Data Privacy Regulation Accelerates

Internationally, GDPR has entered the enforcement stage, with 430 fines and penalties publicly listed since its implementation in 2018.[5] The comprehensive data privacy policy covers companies both within and beyond the European Union, if they do business with European citizens, though implementation between Europe and the U.S. has been rocky. In Europe, fines have ranged from the hundreds to millions of dollars for findings such as insufficient technical and organizational measures to ensure information security.

All in all, 65% of the world’s population will have personal data covered by “modern” privacy regulations by 2023, according to Gartner, compared to 10% in 2020. While 130 or more countries have some privacy laws on the books, many have been modernizing their laws since GDPR was issued.[6]

Compliance Programs and Technology

Complying with changing data privacy regulations is both an organizational and technical challenge.

Companies spend millions establishing compliance strategies, policies, procedures, and training to protect their customers’ and employees’ personal information. Leading practice includes instituting high-level principles regarding personal data as part of a documented and measurable strategy. In handling email, for example, archiving policies need to address why personal information is retained and for how long, as well has how the company protects against email-borne threats that could breach its stores of personal information.

For email, translating compliance strategy into practice involves technical tools for implementing these and other policies on data management, security, archiving, search and retrieval, encryption and regulatory reporting. Cloud-based email services such as Mimecast are incorporating and automating more of the data security and regulatory administration capabilities needed to comply. For example:

• Certain types of personal information in emails can trigger encrypted messaging.
• Compliance teams can set, maintain and enforce retention policies that “expire” messages within a set number of days.
• Data dashboards can measure employees’ likelihood of clicking on scam emails, risking a data breach that exposes personal information.

The Bottom Line

More changes to data privacy policy could be on the way, as U.S. voters go to the polls in California and across the country. Companies have been living with shifting privacy regulation for a long time. Many are taking practical measures to ensure that, once again, they can adapt and comply.

[1] “2020 Data Breach Investigations Report,” Verizon

[2] “Gartner Predictions for the Future of Privacy 2020,” Gartner

[3] “2020 Consumer Data Privacy Legislation,” National Conference on State Legislatures

[4] “How the 2020 Elections Will Shape the Federal Privacy Debate,” Brookings Institution

[5] “GDPR Enforcement Tracker,” C/M/X

[6] “Global Data Privacy Laws 2019: 132 National Laws & Many Bills,” Social Science Research Network