Government Accountability Office Renews Call for National Data Privacy Legislation

In a Report to the House Committee on Energy and Commerce, the Government Accountability Office ("GAO") recommended that Congress pursue comprehensive federal legislation on cybersecurity and data privacy. It is the GAO's latest call for a national strategy to protect consumers. A similar approach - the General Data Protection Regulation - was adopted by the European Union and went live last year.

The GAO explained that the United States lacks a comprehensive internet privacy law governing the "collection, use and sale or other disclosure of consumers' personal information," relying instead on industry-specific laws enforced by various federal agencies and on data breach statutes enacted and enforced at the state level. Federal data privacy actions are brought chiefly by the Federal Trade Commission ("FTC"), which can initiate investigations and impose civil penalties under Section 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce."

Commentary

Expect that as data breaches and the use and sale of personal information continues to raise concerns among consumers in the United States, calls for a national data privacy standard will only increase. Currently, the world's most technologically advanced nation applies a patchwork of federal, state, and industry-specific cybersecurity rules to govern how data may be used and what to do in the event of a breach. This is made worse by a host of federal regulators who weigh in on cyber-related matters, including the FTC, the Consumer Financial Protection Bureau, the SEC, and the DOJ among others. California has taken the lead in terms of providing consumers with enhanced rights about how their personal information may be used and providing an opt-out to prevent the sale of such data; however, such law does not go into effect until January 2020, and even then it does not go nearly as far as the General Data Protection Regulation, which has its own requirements relating to data protection and data breach notification requirements. A federal standard, enforced by a single federal regulator, would allow consumers and businesses to rely on one uniform standard rather than the balkanized system currently in place.

Email me about this

Tags