5 Privacy Trends for 2025: What to Watch For
Heraclitus said that “The only constant in life is change,” but...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Published: July 1, 2024
Privacy Pro dreams were shattered at the end of last week when the long-awaited federal privacy law v2.0, the American Privacy Rights Act (APRA), appeared to have been dealt a potentially fatal blow. After redlines were made to an updated draft of the proposed regulation, a scheduled markup was canceled on June 27, leaving the future of the law in question amid concerns it been had substantially weakened with the removal of civil rights protections and provisions intended to prevent algorithmic discrimination. However, this isn’t the first time this has happened to a proposed federal law. Seasoned privacy pros have seen this movie before with the ADPPA. Which begs the question: Will we see a comprehensive federal privacy law any time soon?
As we approach the second half of the year, it’s difficult to predict what exactly is around the corner for privacy pros. It’s already been six months full of surprises—the rise and possible demise of the APRA, White House Executive Orders on Sensitive Data, acclimating to the new California Regulations, and a substantial list of new state laws. After the events of last week, the only thing we can predict for the rest of the year is…more unpredictability.
What we can tell you is that with a growing trend of regionalized, thematic, and disparate regulations emerging on a near-daily basis (state comprehensive, health, AI, consumer and content moderation to name a few), the landscape continues to get harder to navigate. As an example, it is no longer possible to have a one-size-fits-all privacy policy. Instead, requirements of state health privacy laws may require you have standalone policies. It means that overnight, the jigsaw puzzle goes from 100 pieces to 10,000 pieces, requiring delicate analysis and precision to get each section assembled in the right way. Applying consistent baselines and following the strictest approach may be possible for some areas of governance; however, for others, it can also result in potential conflict as well increasing the workload of an already under-resourced team.
So, what is a privacy pro to do? The role feels increasingly challenging—so much so, that it makes me wonder if all privacy pros need to don a cape and eye mask before flying into problem-solving meetings. And this begs the question: will the U.S. see a super-law to solve these problems for us?
A federal privacy law could simplify the current patchwork of U.S. privacy laws by setting a national standard applicable to each state. This would help companies to operationalize programs with greater ease, applying the same standards across state boundaries. This would free up a privacy pro from juggling an obstacle course of compliance requirements, ready to take on the myriad of laws, and allow them to direct time currently spent tracking laws and updating systems toward uncovering and applying business insights. A federal law would also benefit consumers by promoting privacy equality across the country and allowing state neighbors to have the same rights and privileges over how they manage their data. If you are in California, you have the right to have your information corrected but this is not the case in Utah, though both states have privacy laws. Add to this that in two-thirds of US states, there are no privacy rights at all.
I think most privacy pros would agree that the United States needs a federal law, in some form. The data paints a frustrating picture: 70 percent of the nations in the world and 79 percent of the global population are protected by national privacy laws. Of the top 10 GDP nations in the world, the U.S. is alone in not having a federal law.
To be blunt, it’s a bad look. With an economy dependent on international trade and a free exchange of data, the lack of a dependable data protection framework able to withstand international scrutiny is worrisome.
And with increasing concerns over the level of protection afforded to sensitive information, such as health information or children’s data, and discussions about potential abuse by foreign state actors, the lack of federal privacy regulation is deeply troubling.
However, not everyone agrees that a federal law is by default the right solution. Case in point: California. The California Privacy Protection Agency (CPPA) opposes APRA because it believes a federal law would weaken the protections Californians currently enjoy under the CCPA and the California Delete Act. They feel that a federal law prevailing over those state-level protections would weaken intentionally strict CA protections. And let’s not forget, those are protections that Californians voted in. With California being the most populous state in the US, its position is compelling and makes a lot of sense. But is it reason enough to forego a federal law that could potentially benefit the remainder? And why not adopt the CA protections as a baseline? Because those pro-privacy protections may be seen by other states as simply too progressive in a way that potentially harms business. For long-term success, taking a more radical approach at a federal level, straight out of the gate, may be too much; we simply may need time to evolve and get to that place.
It is worth remembering, in the interests of fairness, that a federal law does not solve every problem. With a federal privacy law coming under the purview of a lone regulator, the FTC, it is easy to imagine the potential delays in enforcement that one single regulator could have. If that were to occur, perhaps a consequence of that is a focus on Big Tech that would dissuade programmatic change for smaller business where arguably, change is most needed.
While a federal law has yet to make it through congress, we’ve had a few earnest attempts. But at this time, it remains to be seen if the U.S. will pass a federal law. As I write, the likelihood of the APRA passing seems low. Jointly proposed by Rep. Cathy McMorris Rodgers (R-WA) and Sen. Maria Cantwell (D-WA), this bi-partisan, bi-cameral bill sparked hope that it would make through Congress. But that hasn’t happened and the events of the past week seem to indicate that it won’t. Mounting disagreements and revisions may just be too much to overcome.
If the APRA doesn’t pass, it is, unfortunately, more wait and see for Privacy Pros on whether a federal law will emerge. We will likely we will see more bills in future. In 2024, 21 comprehensive privacy bills have been filed across 13 states. In 2023, 66 comprehensive privacy bills were filed across 31 states. There is clearly an appetite for wider privacy regulation that would support the idea of a federal regulation, but it is likely that concessions will have to be made. The two most strongly contested points appear to be on the right of preemption and the ability to raise a private right of action, but there is also the small matter of how to enforce. One potential compromise could be to enable regional regulatory supervision, using established agencies under FTC oversight. Or would that simply create more confusion?
Time will tell what happens. However, in the interim, while we wait for that super law amid small but meaningful steps toward increased protection and enforcement, it is imperative that that those superhero privacy pros take steps now to strategize on their compliance programs. First, map or inventory your data so you know what you have and can understand what laws you need to be compliant with. Secondly, think through how you can operationalize priority areas to embed them in your business. This might be through training of privacy champions and adopting technology to automate privacy compliance obligations.
Federal privacy decisions in the U.S. are a waiting game we’re all playing. But while you’re waiting, you can stay up to date on the rapidly changing privacy landscape, with these Osano resources:
Hang in there, and stay tuned: In privacy, as in most things, the only constant is change.
Want to learn the A-Z of data privacy from a clear, simple, results-oriented perspective? The Privacy Insider book is for you!
Download Now
Rachael Ormiston is the Head of Privacy at Osano. With over 15 years of professional experience, she has deep domain expertise in Global Privacy, Cybersecurity, and Crisis and Incident Response. Rachael is an IAPP FIP and has previously served on the IAPP CIPM Exam Development board. She has a personal interest in privacy risk issues associated with emerging technologies.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.