Lecio DePaula Jr., Data Privacy Director, KnowBe4: "Creating a national privacy law can provide many benefits for US consumers, especially since organizations will only have to follow one standard. However, if a law such as this were to be created, it is necessary to look at it from all angles to provide consumers the protections granted to them by the constitution and their undeniable right to self determination. Some of the big players do not want to see US consumers given full authority over their data, which is a consumer digital asset - whether the consumer is aware or not. The large players have been making billions of dollars off of this data for a long time now, and creating a law that is prescriptive such as the CCPA or the GDPR in the EU can cause harm to the bottom line. These laws are being created to protect consumers and although not all aspects are business friendly, organizations should be able to find innovative ways to still use the personal data in an legal and ethical way that still enables their businesses. Creating a national law that is less prescriptive will not be beneficial in the long run - these laws have been needed for a long time now. I am hoping more privacy experts chime in on any proposed regulations and advocate for stronger consumer privacy."
Securit experts want national law prohibiting private privacy lawsuits
- Talking Point
- Posted On
The Business Roundtable (comprised of CEOs of top US companies such as Apple, BestBuy, BNY Mellon, major retailers such as Home Depot) is asking Congress for a national privacy law that preempts state privacy laws like the California Consumer Privacy Act. They have proposed a framework and want the national law to prohibit private privacy lawsuits, but to allow consumers to be able to exert "reasonable" control over the collection, use and sharing of their personal data.
Independent experts on security, privacy and risk management with Shared Assessments and KnowBe4 offer perspective:
Tom Garrubba, Vice President and CISO, Shared Assessments: "I believe fines need to be descriptive and published – similar to Europe’s General Data Protection Regulation (GDPR). Organizations need to know what the direct outcome (i.e., fines) would be for non-compliance. This would help the management of US-based organizations get a better picture of the risks involved in non-compliance."