America Needs a National Privacy Policy
The United States likes to envision itself as one of the leading nations in the world, pushing the envelope in science, industry, economic strength, and military prowess. While such aspirations may not always be correct, we can justifiably take pride in our accomplishments and feel confident in our future. Neither of those sentiments, however, apply to how we treat the privacy of personal information.
Many countries, and even groups of nations such as the European Union, have sophisticated regulatory programs that provide comprehensive protections for the collection, processing and use of personal data. We do not. In the United States privacy is generally regulated on an industry-by-industry basis, building silos of behavior for each of the entities that acquire and use our data. Government agencies, banks, healthcare providers, and other sectors have separate sets of regulations. The closest we come on a national level to consistent privacy regulation is the efforts by the Federal Trade Commission to enforce consumer protection law against businesses which fail to provide the data protection practices they proclaim to the public.
Amidst this federal void, individual states are beginning to enact comprehensive privacy laws. California led the way and has amended and broadened its original statute. Virginia and Colorado have passed legislation which come into effect in the not too distant future. Numerous other states are holding hearings and drafting bills. Left unchecked by a superseding federal privacy law, these efforts portend a future patchwork of inconsistent state regulations similar to the fifty plus data breach notification laws now in effect. In such situations, efforts to be compliant on a national level often resolve into “comply with the strictest law and follow that plan everywhere” approach. In effect, this negates the actions of most jurisdictions in favor of simplicity of response. But the state privacy statutes passed to date contain significant differences, not all applying to the same types of entities or requiring the same kind of compliance. For a business active in multiple states, the complexities of privacy compliance may prove daunting.
On the international level, the absence of a federal privacy law that protects personal information as a right of citizenship rather than incidental to a commercial transaction should be considered an embarrassment. American exceptionalism falls flat when countries we might consider “less developed” protect the personal data of their citizens far more comprehensively and meaningfully than we do. In addition, the lack of substantive privacy protections in the United States is treated as a serious obstacle by significant trading partners, such as the European Union, to the free flow of data. Quite simply, for the United States and its industries to remain competitive we must move into the mainstream of international privacy regulation and not be the outlying exception we are now.
For both internal and international reasons, the United States needs a comprehensive, national scheme to protect personal privacy and needs it soon.
