Data privacy is a hot topic in Washington D.C. right now. In late June the House Energy and Commerce Committee introduced the American Data Privacy and Protection Act. The bill has bipartisan support, but still requires floor votes in both chambers, and faces an uphill battle in the Senate.
Following last month’s warning to business and unwilling to wait for Congress to ultimately decide on if a Federal Privacy law comes into existence, the Federal Trade Commission has filed an Advance Notice of Proposed Rulemaking seeking public comment on a number of questions related to digital privacy and security. They will additionally hold a public virtual hearing in September.
The FTC has passed such regulation in the past, such as with the Safeguard Rule, which governs financial entities. Such regulations, should they be adopted can be far reaching and could have major impact to multiple industries and by extension the economy as in the modern world most businesses use digital data. It is strongly encouraged that if you have things to say you take advantage of the public comment period to make your voice heard.
Open Questions
The questions the FTC asks are complex, and some may require non-trivial levels of documentation. Some are clearly targeted at legal professionals and some require more in-depth technical understanding. The scope being requested is expansive and there is where I think we may run into problems.
The Question of Complexity
If we look at a similar effort in Europe, when Belgium ruled against IAB Europe over their Transparency and Consent Framework (TCF) the ruling exceeded 100 pages and took nearly 3 years to complete, because in order to determine if TFC was compliant with Europe’s General Data Protection Regulation (GDPR), they had to develop a in depth technical understanding of the online advertising ecosystem. I expect given the breadth of questions outlined by the FTC, they will ultimately face similar challenges in drafting regulation due to the sheer complexity of data use prevalent in American businesses across multiple industries.
The Question of Skilled Staff Availability
I can say from experience, having recently completed conducting a high level overview of major platforms and technical privacy impacts , controls & requirements that exceeded 15 hours of live training that the amount of background knowledge required to make decisions in this space is non-trivial. A comprehensive deep dive training program would be weeks to months of material to learn initially, then consistent training to keep up to date with developments. The educational pipeline for knowledge in this space is limited and colleges are playing catch-up behind industry.
We are starting to see education in the area of privacy engineering from colleges but courses are typically a sub-module of a degree in Computer Security. Some colleges, such as Carnegie Mellon, have developed a full fledged privacy program which they offer at a Master’s level. Very few good books on the topic exist, both due to the complexity of the material and the rate that the requirements change. I think there will very likely be a education gap that persists regardless of the proposed FTC rule, or Congress passing a law for the foreseeable future. Companies will struggle to deal with this in the short to mid term.
Being successful in implementation of any final requirements by the FTC will likely be difficult on par with compliance to any other privacy law, such as Europe’s GDPR or California’s Consumer Privacy Protection Act. Privacy Engineers often have background in technical requirements, field specific knowledge such as Marketing, and an understanding of the legal text / requirements. They need to communicate legal requirements to technical staff, and technical processes to legal and compliance staff. This multi-discipline role is thus already in demand due to privacy law in other countries that American businesses need to comply with, and the talent is pool to draw from is limited due to the level of education and experience required to be successful. I expect there to be a skill gap on par with, or larger than, the Computer Security gap – which at the time of writing exceeds 700k vacant positions and rising.
We’re 5 years into Europe’s GDPR, and companies are still struggling with compliance activities. I don’t expect the USA to do any better. Experienced staff will be hard, if not impossible, to come by for the next several years, at minimum for many companies.
The Supreme Court Question
While this wouldn’t normally be a concern, in late June the Supreme Court limited the Environmental Protection Agency’s ability to control emissions. The court majority called into question the “major questions doctrine”, citing that neither the EPA or any other federal agency may develop and adopt rules which are “transformational” to the economy unless Congress has specifically authorized the action to address a specific problem.
If there’s one thing I am confident of, is that data privacy and security regulation would be transformational to the economy in multiple ways. So the FTC’s efforts may ultimately be for naught, as I would, given this precedent expect the Court to overrule the FTC unless Congress tasks the FTC with creating rules in this space.
Next Steps
If I had to suggest what should be considered in the short term my recommendations would be as follows:
- Realize that since the Supreme Courts decision against Roe that data privacy has taken center stage, and the tone has changed to ‘when’ from ‘if’. The USA will likely adopt data privacy law in the next few years, depending on how the mid-terms turn out in the fall of 2022.
- Participate in the Public Comment Period and pay attention to what the FTC is doing so that you can get ahead of any protentional requirements prior to their compliance deadlines (should that come to pass).
- Pay attention to any floor votes regarding the American Data Privacy and Protection Act.
- Build out compliance plans for the state laws going into effect next year (California, Virginia, Connecticut, Colorado and Utah). This is required in many cases if you do business in those states and you are running out of time to ensure compliance.
- Figure out staffing plans for future work. If you require data privacy specialists (and chances are you will) plan for those recruiting efforts to take longer, and cost more, than expected and start early.
Lastly, if you wanted a book recommendation on data privacy – I’d recommend Data Privacy: A runbook for engineers as a decent primer on the subject from the technical point of view.