Consumer Privacy Regs Will Jump the Pond – CISOs Need to Observe, Understand & Act

November 13, 2019 | By Phil Gardner , IANS Founder and CEO

I learned to fly Navy jets in South Texas where the summer heat is oppressive and the thunderstorms are fearsome. From May - September, haze often masks these convective monsters. Our rule: if there’s any doubt, give summer weather a wide berth. So, after a flight where I almost stumbled into a TS4 behemoth, my flight instructor offered that “not making a decision IS a decision”. That’s stuck with me.

His words come to mind when I consider Washington DC’s stalled approach to protecting consumer privacy and regulating the downside of new technologies, including facial recognition, machine learning and AI.

On the surface, there’re signs of progress. Arch-conservative Jim Jordan (R-OH) and liberal champion Alexandria Ocasio-Cortez (D-NY) see eye-to-eye on little, but they both agree that facial recognition needs to be regulated. Even the tech firms, including newly-minted free speech champion Mark Zuckerberg, are asking for federal consumer privacy legislation. Still, DC gridlock is winning the day -- no consumer privacy legislation is moving. And Congress, by not seizing the momentum, is collectively making a decision not to make a decision.

Nature abhors a vacuum – at least according to Aristotle or Einstein. So, when these new technologies create sufficient harm (happening now), its victims get angry, assemble and look for someone to protect them. With DC gridlocked, other government entities have stepped in to fill this void.

Out of necessity, the first to step up have been local governments. City councils like San Francisco and Somerville, MA have passed consumer legislation banning technologies like facial recognition outright. Detroit is allowing its continued use by the police, but with restrictions.

And then there’s Europe.

I’d wager that the most powerful person in tech that you’ve not heard of is Margrethe Vestager, the EU’s former Commissioner of Competition and newly-minted Executive Vice President. Vestager, a Danish bureaucrat, is currently more influential is setting U.S. consumer privacy legislation than anyone inside of the beltway. Let me explain.

Europeans view Silicon Valley’s market power differently. Across the Continent, Europeans worry they’ve become America’s technology colony. They’re angry. To them, American tech giants abuse their consumers’ privacy, don’t pay sufficient taxes, and suffocate entrepreneurs.

And, the Europeans have struck back -- to date, fines have been their primary revenge. They’ve imposed some big ones, for example: €8.3 billion against Alphabet and a €14 billion back-taxes bill to Apple.

With Vestager’s promotion, Europe has expanded its mandate. Expect new EU regulations around consumer privacy that include limiting facial recognition, machine learning and AI. Vestager is also spearheading new tax enforcement and heighted anti-trust moves.

Why these EU moves matter in the U.S.

The EU’s regulatory actions and penalties are being closely watched by US state capitals – notably Sacramento and Albany. Just as GDPR provided the underpinnings for Cal Privacy, so too can upcoming EU rulings influence these state legislatures. At the same time, expect state attorneys general to study European penalties closely to see how they can be applied in their jurisdictions.

More important still, when a big state (say California or New York) enacts complex legislation, the historical pattern is that this becomes the federal standard. Look how California’s auto emission rules have become the de-facto standard. This same thing is happening with consumer privacy. Rena Mears, an attorney at DLA Piper, stated that “99 percent of [her] clients are making Cal Privacy their de-facto consumer privacy policy.”

U.S. companies are faced with a tough choice: to apply strict first-mover standards like California’s to their national business, or slice and dice their business to comply to the emerging patchwork of international, state, and local legislation. CFOs hate the first option as much as general counsels hate the second.

As a CISO, you’ll need to Observe, Understand & Act

Observe: Watch Europe. Europe currently serves as the ‘test-bed’ for US consumer privacy regulations. Expect this to continue. Partner with a trusted European colleague on your risk or legal team to help get ahead of upcoming rulings. Building this relationship proactively will give you an in-the-know ally to help you interpret new regulations and to understand legislative intent.

Understand: Beef up your state regulatory awareness. Ask your outside legal counsel for a briefing on how your industry peers are complying with the growing hodgepodge of state and local consumer privacy regulations. Understanding your peers’ actions will inform your thinking as legislation crystallizes in Sacramento, Albany and Springfield.

Act: Weigh the short-term cost savings vs. long-term headaches of taking a piecemeal approach. Privacy compliance will become more muddied over the coming 24 months as state and local actors enact privacy statues that you’ll need to comply with. Get time with your general counsel and head of comms to build a playbook for building a coherent response.

Remember, regulators are often as interested in your intentions as they are in your compliance with the letter of the law. If you adhere to stricter standards early on, and in good faith, you can reduce the chance of opportunistic state and local regulatory actions. Always leave a paper trail that explains both your compliance steps AND your good-faith intentions -- just in case things don’t go to plan.


Access time-saving tools and helpful guides from our Faculty.


IANS + Artico Search

Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

Subscribe to IANS Blog

Receive a wealth of trending cyber tips and how-tos delivered directly weekly to your inbox.

Please provide a business email.