States are leading the way on data privacy

Late last month, Virginia’s senior Democratic Senator Mark Warner released a well thought out document outlining a list of policy options for national legislation on data security and privacy. Among the options is what his office called “comprehensive GDPR-like data protection legislation,” a reference to the European Union’s General Data Protection Regulation, which went into effect in May.

With fines of up to 4 percent of global revenue, that far-reaching legislation has had a profound impact on global data science programs using EU data. Its impact on machine learning, in particular, may well affect if and how the new technology gets deployed in major markets both in and outside of the EU.

Here’s how the Warner document summed up the proposed US national privacy law:

The US could adopt rules mirroring GDPR, with key features like data portability, the right to be forgotten, 72-hour data breach notification, 1st party consent, and other major data protections. Business processes that handle personal data would be built with data protection by design and by default, meaning personal data must be stored using pseudonymisation or full anonymization.

And Sen. Warner is far from alone in contemplating a national-level regulation on data, which, if implemented properly, could bring huge benefits (or, conversely, huge downsides). But what’s perhaps most striking about these far-reaching proposals is that regulators in the US are already leading the way. Those regulators just happen to be in state legislatures across the country.

If you want a sense of where the US is heading on data regulation, in short, look to the states.

{mosads}In California, for example, the state legislature in June passed a privacy measure called the California Consumer Privacy Act of 2018. The measure, proposed merely a week before it passed, gained unanimous support from the state legislature, in one of many signs that data regulations transcend the partisan gridlock we’re so used to seeing on most political issues.

The California law will come into effect in 2020, giving the law a two-year grace period just like the GDPR, which was passed in 2016. Once in effect, the California law will mimic many of the GDPR’s provisions, mandating a host of new rights about how consumers’ data can be collected and used.

More important than the commonalities between the California law and the GDPR are their differences. While the GDPR is all encompassing – mandating new requirements on everything from data collection, to use, to retention and deletion – the California law is much more targeted in its scope, focusing more specifically on consumer rights surrounding data at the point of collection.

Data scientists at smaller companies and start ups, for example, may not even be impacted by the California law at all, which is something that few data scientists in the EU could plausibly claim about the GDPR.

And while the GDPR applies to all data from the EU that could be used to identify individuals, the California law applies only to companies of specific sizes that use Californians’ consumer data. Among these requirements is that the gross revenue of the company exceed $25 million, that the company sells data on over 50,000 consumers in any single year, or that it derives at least 50 percent of its revenue from selling consumers’ personal information.

But California is not alone in paving the way for new data regulations in the US. Vermont recently became the first in the nation to regulate data brokers, the companies that buy and sell personal information.

With Vermont’s new law, brokers in Vermont must now disclose what data they collect and allow customers to opt out, along with a host of security requirements and breach notifications. In addition, consumers can now sue brokers if the data they sell causes illegal discrimination.

Meanwhile, legislators in Colorado recently enacted a new law targeted at frequently ill-defined data protection practices within companies. The new law singles out a broad category of data referred to simply as “personal identifying information” – which can range from social security number to biometric data – and mandates the documentation and implementation of practices that are “appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.”

This might seem like a broad and vague mandate – and in many senses, it is – but the law is designed to ensure that companies have clear and consistent procedures to handle the growing amount of information they are collecting. If procedures are in place, according to the law, it should be clear who to hold accountable in the event of a failure.

This isn’t to say that US states are alone. Even a historically-reactive Congress is considering wide range of national data policies. Two bills, for example, are already pending in the Senate. One bill, called the CONSENT Act, would give consumers the right to know what kinds of data companies collect on them and to opt out. Another bill, called the Social Media Privacy and Consumer Rights Act of 2018, would require consumers to opt-into – rather than opt-out of – a company’s use of their sensitive data. (The folks at Inside Privacy did a great job broadly comparing these two bills here).

The House of Representatives itself has two proposals – the Balancing the Rights of Web Surfers Equally and Responsibly Act and Secure and Protect Americans’ Data Act – that are sitting in committee.

And even the Trump White House is getting in on the action, reportedly beginning to construct a framework to protect consumer privacy.

All that said, however, it’s the states that have been leading the way on privacy regulation. Other states beyond simply California, Vermont, and Colorado  – among them New Jersey and Washington  – have also joined in, passing laws on the use of retail data and biometric data, respectively.

U.S. Supreme Court Justice Louis Brandeis once called states the laboratories of democracy. So just what are these laboratories telling us? All data is increasingly becoming regulated data,  even without national-level data regulation. Just look at the laws on the books – state by state by state.

Andrew Burt is Chief Privacy Officer and Legal Engineer at Immuta, the world’s leading data management platform for data science. He holds a JD from Yale and is a visiting fellow at Yale Law School’s Information Society Project. He previously served as special advisor for policy to the head of the FBI Cyber Division.