Data Security and Consumer Privacy in the U.S.

Similar to new data security and privacy laws sweeping the European Union and California, it is only a matter of time before new laws are required throughout the United States. This week’s news is the U.S. House and Senate held hearings on data security and personal privacy.

The timing of the first set of hearings on Capitol Hill aligns with the fact several other states – such as Washington, North Carolina, Oregon, and Virginia – are on a pathway to either pass new or update their security and privacy laws.

Along with California Consumer Privacy Act (CCPA) law looming in 2020, it comes as no surprise the federal government is stepping up the dialogue for a more comprehensive data security and consumer privacy framework.

U.S. Senate

On Wednesday, February 27, 2019, the Committee on Commerce, Science, and Transportation held a hearing entitled, Policy Principles for a Federal Data Privacy Framework in the United States. This Committee has oversight of the Federal Trade Commission, which is the primary enforcement agency for data security and consumer privacy.

Senators from both sides of the aisle queried the expert witnesses on the following topics.

  • Federal law preemption of state laws.
  • Importance of having a single data security and consumer privacy law.
  • The level of transparency and control of consumer data – opt-in vs opt-out.
  • Policy for usage of consumer data does not prevent harmful or discriminatory actions to the consumer.
  • Different policy requirements for children not covered under COPPA and what needs to be changed in a 20-year-old law.
  • The policy needs to be cohesive in aligning data security with protecting consumer privacy.
  • Policy requirements to minimize impact to small and medium-size business and innovators, which occurred since GDPR went into effect.
  • Discussion on the level of empowerment legislation provides to the FTC to enforce the law.
  • Notice and consent are no longer sufficient in providing consumers with a clear insight into how their personal data is collected, used, and shared.

There is a bill on the Senate floor right now, S.189 – Social Media Privacy Protection and Consumer Rights Act of 2019.  The bill was introduced by Sen. Klobuchar, D-MN, on January 17, 2019. The witnesses all agreed to assist the Committee to craft a more comprehensive framework within this bill.

U.S. House of Representatives

On Tuesday, February 16, 2019, the Subcommittee on Consumer Protection and Commerce of the Committee on Energy and Commerce, held a hearing titled, Protecting Consumer Privacy in the Era of Big Data.

During the U.S. House hearing, expert witnesses answered questions on the same topics as the hearing in the U.S. Senate. You can follow the discussion in the video.


In real estate, our companies have a lot of consumer data. Some of us are using and sharing this data in order to deliver relevant services and content to consumers; something that consumers want.

How does this impact real estate?

Bipartisan support for federal legislation on data security and consumers privacy seems to be evolving. Passage of this legislation is going to be determined by the details in protecting consumer privacy and data security. Today’s politics certainly exposes a philosophical difference in the implementation of a law. In short, it is going to take time and compromises to have something in place before 2020.

What is different in both of these hearings from what GDPR and CCPA is the concern for consumers losing out on services or their confusion of notice and consent. These hearings also discussed how GDPR generated unintended consequences to small business and technology innovators.

Note: California Consumer Privacy Act (CCPA) only targets businesses who have gross revenue of $25 million or more, and exempts non-profits and governments. Furthermore, CCPA states that businesses having 50,000 or more consumers in their database must comply with the law.

Companies who have already implemented a Data Security and Consumer Privacy Strategy should stay focused on maintaining and managing the strategy. Any changes to federal law will have to be incorporated into the strategy.

Those who are just beginning to develop a strategy should keep moving forward with crafting their strategy and continue to monitor what Congress is doing. New laws can cause a pivot in the processes or strategy.

Companies who have not started a strategy should think about doing one soon. Read this GDPR white paper before starting. You should have something in place no later than December 31, 2019, if you qualify under CCPA business requirements.

WAV Group is happy to get on a conference call to walk your team to discuss Data Security and Consumer Privacy Strategy. Contact Victor Lund, Marilyn Wilson, or David Gumpper to schedule some time.