Navigating Global Privacy Legislations in a Global Society

Photo credit : TechCrunch via Getty Images

China, the most populous nation in the world, passed its first significant data privacy legislation in August. Moving forward, any global business or aspiring startup doing any type of trade or offering services online likely will be affected because they’ll be engaging with Chinese residents covered by the Personal Information Protection Law (PIPL).

Although this seems like pretty significant news, the legislation itself is similar to the EU’s General Data Protection Regulation (GDPR), which was introduced in 2016. What is shocking, however, is that companies had two years to prepare for GDPR, while PIPL goes into effect on November 1, 2021.

This leaves companies scrambling to figure out compliance. In addition, it highlights the importance and urgency of data privacy on a global scale. China marks the 17th country to establish a GDPR-like privacy law. Which global superpower is not on this list?

The United States has yet to adopt a broad-reaching, consumer-focused national data privacy law — despite multiple studies indicating that Americans want more control over their personal data online. This oversight has significant implications for the technology industry in particular.

With so much going on, it’s clear that we’ve reached a critical juncture in the maturation of data privacy. How we proceed will affect potentially billions of consumers worldwide as well as the development of companies ranging from the smallest startups to the biggest global enterprises. This moment demands careful consideration.

As such, let’s attempt to break down the present data privacy conundrum, starting first by examining how data privacy legislation is evolving in the U.S. and what this means on a broader scale, before diving into how data minimization attempts address these issues. After weighing these integral pieces of the data privacy puzzle, I will conclude by issuing a call for global data privacy standards that place people firmly in control of their data.

Data privacy in the U.S.

The data privacy landscape in the U.S. is complicated. In short, on the federal level, there has been movement but no overarching data privacy policy in place. There are industry-specific privacy regulations — The Health Insurance Portability and Accountability Act (HIPAA) governing healthcare and Gramm-Leach-Bliley Act (GLBA) covering consumer financial products.

There is also the Children’s Online Privacy Protection Rule (COPPA), designed to protect children under 13. The FTC jumps into the mix as well because it can go after an app or website that violates its own privacy policy (the Federal Trade Commission Act).

But our federal government hasn’t passed a sweeping bill that protects consumers’ digital privacy rights, leaving it up to individual states to do it themselves (e.g., California’s CCPA, Virginia’s VCDPA and Colorado’s ColoPA). This has left plenty of Americans without privacy rights and businesses confused about what they need to do.

Some folks argue that this is how it should be, warning that a gridlocked Congress could never pass meaningful consumer privacy legislation. Even if they do, it will be too watered down to matter, which would then negatively affect carefully constructed state laws.

At the same time, there is the potential of having 50 individual state data privacy laws — all similar, but likely each different in its own way, creating the nightmare scenario for businesses trying to do the right thing. Now magnify this globally.

Data minimization is not the only answer

One approach being bandied about to help address data privacy involves the principle of data minimization, which allows companies to collect and retain personal information only for a specific purpose.

Basically, it’s a call for companies to simply collect less data. Think marketing teams reducing their intake or establishing retention schedules to purge existing data.

This is great for some, but for others, it can be unrealistic. Even the most consumer-friendly companies are unlikely to encourage marketers to go out and collect less personal information about potential customers, and they could nearly always find a justification for grabbing data.

But, the practice, even in its purest state, could be detrimental to startups that rely on personal information and preferences to develop products and grow their businesses. Data minimization in this sense could have the unintended consequence of stifling innovation.

And frankly, it may not even be necessary if consumers have a say in how their data is acquired and used. In some cases, consumers are OK with sharing personal information because they prefer a more personalized, bespoke experience. For example, brands like Stitch Fix or Sephora ask for a lot of personal preferences upfront to provide a better shopping experience — and for many, that’s OK.