Data Regulatory Trends in the U.S. – Take Stock, Get Going

Data Regulatory TrendsThis is part one in a two-part series of articles analyzing data regulatory trends and their potential impacts. Look for part two later this month.

By Larry Buzecky, AEM Vice President of Business Intelligence —

Andrew Schlidt, a partner at Godfrey & Kahn, has been building his technology law practice over the past 20 years. Initially hired as a software programmer at Accenture, he ultimately decided to pursue law and now helps clients with data compliance obligations and compliance strategizing.

When asked about data regulatory trends in the United States, he pointed to several key trends that have emerged in his technology practice that greatly color our current state.

“We don’t have time for this!”

Schlidt noted that many companies simply lack the internal resources to focus on data regulatory compliance, which further compounds the steep learning curve that accompanies trying to learn more about data compliance-related regulations.

Often companies have no staff dedicated to privacy or other similar data-related issues, “…so they pull up from the ‘farm team, asking existing staff to learn the area in a part time role’” he observed. “This stands in contrast to the staffing gains made in the past few years in response to cybersecurity risks. Privacy is still a work in progress. “

So, if a company has dedicated no single staff person to address data regulation compliance, how do they address this need?

In larger companies, new departments are being formed and built out to implement formal enterprise privacy programs, grow their knowledge and mature their response, but, according to Schlidt, “(T)his is not even on the radar for small or mid-sized companies, whose efforts are often piecemeal and reactive at best.”

IT departments have also been enlisted to monitor data regulations and privacy, but IT departments are often anxious about being in the “ownership” position, given all their other more pressing, and often more urgent, responsibilities. And the interests of IT departments are more focused on data storage, integrity and availability as opposed to privacy compliance.

Marketing is another department that may exercise ownership, as is the case with AEM. Tara Cowling, the association's director of digital marketing, observed that “…an increase in privacy sensitivity has forced marketers to shift, as the old ways of doing things are no longer acceptable by law or consumers. We’ve seen the trickle-down effect with web, social and major corporate giants. Brands need to be proactive in making continuous updates, improvements and monitoring. Keeping consent top of mind increases long-term trust and customer loyalty.”

Finally, there may be a cobbled, multi-department, hybrid approach, but here policies and procedures are often inconsistent, and the business needs and purposes of those departments are different.

Schlidt noted that, under the European Union’s (EU) General Data Protection Regulation (GDPR) – the framework that covers data protection and privacy – some organizations must engage an individual tasked with a regulatory obligation to monitor privacy compliance within the organization – namely, the Data Protection Officer (DPO). This regulatory obligation has been met with mixed results in the EU, as the role of the DPO continues to be refined as challenges in practical application arise, including whether the DPO ultimately represents the interests of the company, the regulatory authorities, consumers or some combination of the above, and whether and to what extent the DPO may be held personally liable in the performance of this role.  Which leads us to our next trend.

Tara Cowling

 

“An increase in privacy sensitivity has forced marketers to shift, as the old ways of doing things are no longer acceptable by law or consumers. We’ve seen the trickle-down effect with web, social and major corporate giants. Brands need to be proactive in making continuous updates, improvements and monitoring. Keeping consent top of mind increases long-term trust and customer loyalty.” -- AEM's Tara Cowling

“We’re Confused…” 

The next trend Schlidt identified is, as he put it, “… the massive disconnect in U.S. companies around the interplay between data ownership and the enormous set of data use restrictions before us now.”

He pointed out that the U.S. is behind the EU in recognizing data privacy, as it’s not intuitive or consistent with the U.S. concept of data ownership. He explained that our existing corporate concept of copyright under intellectual property law historically has led most companies to assume that they own their customer data without restriction. But the development of emerging privacy regulations runs contrary to this concept in several important respects, including by putting significant control over use of the data back into the individual's hands if there is personally identifiable information involved.

Thus, the concept of corporate ownership of data in the U.S. must evolve. And is doing so as businesses adapt, Schlidt suggested, to new state laws promulgated in California, which loosely follows the broad brush strokes of the European GDPR model (though using entirely different definitions and terms, just to add to the confusion). California moved first in terms of aligning with this new concept in the United States, with Virginia, Colorado and Connecticut, among others, looking to adopt similar state privacy laws. Now, there is a large wave of state actions underway covering a variety of aspects of data privacy.

But with the states currently pursuing strategies that may or may not align with each other, the result will inevitably be a patchwork approach that may make navigation a heavy burden on other countries trying to do business in different regions of the U.S., not to mention U.S. companies trying to do business in multiple states.

As noted by Harriet Jones, a Partner at IBB Law in the UK, when it comes to UK-based businesses trying to cope with data regulatory compliance in the U.S., businesses need to adopt a new perspective. “The UK treats the U.S. as lots of different countries, " she said. “And with the UK having its hands so full with the EU, it’s hard for the UK to even focus on the U.S.”

There are members of Congress who are making the attempt to address the evolving quilt of state-level regulatory data privacy initiatives. For example, the American Data Privacy and Protection Act (ADPPA – HR 8152) was introduced on June 21 of this year,. In short, the bill “establishes requirements for how companies, including nonprofits and common carriers, handle personal data, which includes information that identifies or is reasonably linkable to an individual,” as summarized by the Congressional Research Service.

This Act, in Schlidt’s opinion, will not pass. He sees passage being blocked by several prevailing counter-forces:

  • A reluctance by California state representatives to support a federal law that they do not believe is strict enough, such that they do not want the federal law to pre-empt their stronger state protections in California.
  • A lack of consensus in Congress regarding whether to include a private right for action for individuals to bring claims and enforce the law in the event of data use abuse.
  • Various State Attorneys General who desire to maintain some ability to enforce privacy violations in their respective states, as opposed to handing that authority and control entirely to federal enforcement agencies.

"I'm tired of reacting, how do I get ahead of it all?"

A final trend Schlidt identifies has to do with companies simply being exhausted by the uphill climb of continuously reacting to new data privacy requirements. Instead of reacting, they want to find a way to be pro-active. For many companies, this means taking the time to develop an overarching data strategy to drive the business objectives of their organization, and under that umbrella embedding the broad brush strokes of a privacy program that will hit the material elements of privacy compliance now and in the future. In developing an overall Data Strategy, there are basic strategic questions that companies must ask themselves including, among many others,

  • What data do we collect and why?
  • Why do I want to keep this data?
  • How long should I keep this data?
  • Who will I share this data with?
  • How do we wrap compliance around our business strategy?

In short, according to Schlidt, “Strategy leads, compliance follows. But compliance assumes you know what you have and why you have it. If you don't know, you can't protect it, nor can you purposefully maximize economic value from it."

As Schlidt noted, some data is an asset, some data is toxic. Unless you’ve put strategic thought and planning into it, your employees are unlikely to know which is which for your organization.

The good news here is that technology has been changing to operationalize data strategy. For example, OneTrust is a Software as a Service (SaaS) platform that helps facilitate the management of data privacy programs.

These platforms, however – and software platforms in general – may harbor their own pitfalls. Schlidt observed that with artificial intelligence being utilized in data flows, developer assumptions that have been inserted into the underlying code could become a business liability and this is an emerging hot issue in the use of AI.

He asked, “Are the algorithms delivering discriminatory or biased results in any way? What assumptions are baked in? Companies will need to conduct appropriate due diligence with their software vendors about the black box functionality that lurks ‘under the hood’.” He further offered that it is not legally defensible to pump data into an unknown box of secret algorithms and have no idea of the elements and weighting considered to prioritize the end results, especially when the elements and weighting could rely on legally impermissible factors.  He cites a company’s use of AI job application software services as a solid example of where real issues could lurk if the software is used to prioritize applicants for interviewing and hire.

Of course, in response to this particular potential liability, state laws are being drafted to address the matter. New York has an “AI” state law in effect that prohibits the use of discriminatory factors in technology algorithms.

As stated by JD Supra in an August 2022 post, “Starting on January 1, 2023, New York City employers that utilize artificial intelligence (AI) decision-making tools in their hiring practices will need to provide notice to applicants of the technology and conduct independent bias audits to ensure that these tools do not have a discriminatory impact on candidates.”

 

Andrew Schlidt

 

“Strategy leads, compliance follows. But compliance assumes you know what you have and why you have it. If you don't know, you can't protect it, nor can you purposefully maximize economic value from it." -- Godfrey & Kahn's Andrew Schlidt 

 

"Data mapping is key - but - ugh.”

Schlidt noted that to even begin the data regulatory compliance journey, companies must catalogue or “map” all of their data sources. “This function is considered a drag, and no one really wants to do it,” he said, “but it's a fundamental first step. If you can’t map all data, then pick high-priority streams and just get a start."

But it’s not simply the data that companies have accumulated internally. They must look through their “data supply chain” – those third-party actors that either gather data for the company or receive data from the company. Contractors must have data protection provisions in place, and their third parties as well, and so on. Without these protections, Schlidt warned, the law will hold companies liable for the acts of their subcontractors.

He recommended using a standard contractor due diligence questionnaire upfront to determine various factors, with questions such as:

  • Where do you store data? 
  • Do you use offshore locations?
  • Have you had any data breaches in the past 3 years?
  • What does your cybersecurity program look like and do you conduct regular assessments?
  • Do you comply with any cybersecurity standards like the voluntary cybersecurity framework developed by the U.S. National Institute of Standards and Technology (NIST)?

Contractor data questionnaire templates are available from Godfrey & Kahn.

“Okay, let’s get going.”

In short, complacency is not a strategy, exhaustion is not a sustainable excuse. The U.S. is a global leader in litigiousness and the regulatory enforcement environment is maturing, such that companies must take a pro-active stance to protect themselves.

All companies, large or small, must understand how valuable their data assets are, where they are, and take steps to protect this golden trove from lawsuits that could strip it from their coffers. Or, from a more positive business growth perspective, companies would do well to develop a data strategy that not only provides for effective regulatory compliance, but also conveys a commitment to good data stewardship that builds confidence and trust with its customers and partners, ultimately creating a business advantage.

A very special thanks to Andrew Schlidt for his perspective and insights.

Subscribe to the AEM Industry Advisor for more AEM staff perspectives.

 

×