Existing privacy laws create parameters into which a federal privacy mandate will likely fit. More generally, a proposed federal law will likely be more flexible than what we have seen with European-style legislation; and, it is unlikely that the mandate will be as narrowly tailored as that which we’ve seen in U.S. state-level legislations.


Hilary Wandall

It is likely that a federal law would include a requirement for a comprehensive privacy program at the corporate level, rather than focusing solely on individuals’ interactions. In fact, a federal privacy mandate is likely to include the following components:

  • Organizational governance: A federal mandate will require corporate leadership to set the right tone in terms of understanding responsibility for managing consumer data without doing harm. Leaders must own stewardship of this responsibility and push it down to the rest of the organization.
  • Risk management: Organizations must understand their privacy priorities and risks and focus their resources on reducing the risk of harm to individuals.
  • Comprehensive policies: Federal legislation will require that companies handle privacy programmatically by establishing organizational standards to ensure that operational processes recognize and deal with privacy issues on an ongoing, rather than an ad hoc, basis.
  • Training program: A federal law will likely mandate that organizations have a training program for employees in place. A training program will work to highlight organizational security obligations and how those relate to privacy. One piece of a training program will likely hinge upon breach notifications and how to respond in the event one occurs.

These components, which already exist in enacted privacy laws, will likely compose a significant portion of a federal privacy mandate. As corporations push for privacy laws and states continue to impose fragmented regulations, the need for a federal standard that preempts those laws to some degree is growing ever dire. Every single U.S. state now has its own data breach notification law, and a federal law will include more commonality across state borders to make it less challenging for organizations to manage privacy burdens.

Leaders must consider U.S. desire for international influence: To the extent privacy and digital trade have become significant issues, a lack of a comprehensive standard puts regulators in a tough position. The draft new U.S.-Mexico-Canada trade agreement (USMCA) includes a provision on digital trade, which, among other things, requires the parties to the USMCA to adopt legal frameworks that protect the personal information of users of digital trade.  A U.S. federal privacy law will likely take into consideration the critical role the United States plays in international trade dialogues and, as such, the U.S. federal government will surely include language that allows the United States to have a much stronger footing in discussions of privacy issues that involve one or more countries in which American corporations do business.

Address data privacy now for a compliance and competitive edge: Though no federal privacy law currently exists, organizational leaders can still take steps to prepare for incoming legislation. When it comes to privacy management, best practices include:

  • Understand what data relates to people—customers and employees—as well as the sensitivity risks associated with that information. Organizations must understand how to protect that information in accordance with guidance set forth by existing regulations.
  • Implement processes that allow organizations to manage data for proper business uses. The specifics of a federal law will dictate whether those processes should eventually focus on consent or other mechanisms to legitimize data processing, for example; but, for now, leaders should develop mechanisms to manage data effectively and responsibly for strategic business value while minimizing risk of harm to individuals.
  • Practice good data governance, security, and data quality assurance. By including good data practices in their current businesses processes, organizations will be more likely to seamlessly layer new privacy regulations into their current operations.

Regardless of the specifics of a potential federal mandate, leaders should prepare for two major components: Legislation will likely aim to give the United States a strong voice in international trade dialogues, and the law will also lean toward driving the economy and spurring innovation.

The law should cause people to think before they use data in a way that might cause individual or societal harm. By turning their attention to good data use, business leaders can begin to prepare for incoming legislation in a manner that will not only ensure compliance, but that will also build a competitive edge through innovation. A federal mandate is likely on its way, and organizations should start to get ahead of compliance considerations today.

Hilary Wandall is general counsel and chief data governance officer at TrustArc.