The clock is “TikTok-ing” towards wider US data privacy legislation: how can businesses prepare and exploit this?

As TikTok CEO Shou Chew sat in front of the 50 members of the House Committee for Energy and Commerce last month, he found himself on the same hotseat that his counterparts from Meta, Twitter and YouTube had inhabited in the years prior. During the over 4-hour grilling, Chew faced questions ranging from national security implications, to the nature of the data sharing relationship between TikTok and its Chinese-parent company ByteDance, to the app’s data collection of US citizens. By the end of the hearing, bipartisan support for the regulation of TikTok was evident. 

Unsurprisingly, the hearing and its attendees have been ridiculed on the very application they are seeking to regulate. Many users highlighted the inability of some committee members to grasp the algorithmic workings of the app, whilst others decried the perceived xenophobic rhetoric of several lines of questioning. One criticism levied at the Committee was that US-based organizations had been mishandling and misusing personal data for years and yet, despite public hearings and half-admissions of guilt, no regulation had been imposed on the US tech giants. 

While federal data privacy legislation still appears several years away, 2023 will undoubtedly change this landscape for US businesses. As Colorado, Utah, Virginia and Connecticut follow California’s lead in enforcing state data privacy legislation (with 19 other states in varying stages of introducing legislation), organizations processing US citizen data have a unique opportunity to seize a competitive advantage.

From risk-prevention to rights-promotion

Prior to the creation of the Californian Consumer Privacy Act (CCPA), US privacy architecture can best be described as following a sector-based approach. The Graham-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPPA), and the Children’s Online Privacy Protection Act (COPPA) provide federal cover for personal data in various high-risk cases – financial data, health data, and children’s data respectively. 

What the CCPA and its affiliates advance is therefore a departure from a sectoral to a territorial approach. Under the CCPA, any Californian resident is required to be provided four key rights: The right to know what information is being collected, the right to delete personal information (with exceptions), the right to opt-out of the sale of their information, and the right to non-discrimination. Therefore, the onus is placed on the rights of the individual, rather than the nature of the data they provide.

This shift from harm-prevention to rights-promotion echoes that of the CCPA’s European cousin: the General Data Protection Regulation (GDPR). Under the GDPR, EU and UK individuals effectively own their personal information, with severe penalties for organizations that fail to adequately protect or misuse the personal data provided to them. Since its inception in 2016 (and as of March 23), failure to adhere to the GDPR has resulted in cumulative fines of almost 2.8 billion Euros. Last year, the first fine under the CCPA was issued to the cosmetics giant Sephora, which was ordered to pay $1.2 million for 3 violations following a spot-check by the Californian data privacy authorities.

Get the memo

The example of Sephora is a crucial one in understanding the future of US data privacy. Californian Attorney General Rob Bonta issued a combative statement upon its announcement, warning companies that “it’s time for [them] to get the memo: protect consumer data, honor their privacy rights.” 

And US consumers do care.

A 2019 article by Pew Research showed that over half of Americans had decided not to use or to stop using products due to privacy concerns. Meanwhile, research showed that 86% of Americans believe businesses and organizations collect too much data, while nearly two thirds of Americans believe threats to their personal data are growing faster than businesses and organizations can keep up. Consequently, 64% of respondents said that the potential risks they faced by providing too much personal data outweighed the benefits of doing business.

What emerges therefore is a picture of a suspicious, concerned and privacy-seeking US consumer.

Innovation as a competitive advantage

The arrival of wider US privacy legislation must be seen by organizations processing US-citizen data as an opportunity for innovation and reputation enhancement rather than a purely regulatory exercise. The US consumer is looking for the organizations they do business with to prove that they are privacy conscious. Similar to recent trends in environmental social governance (ESG), consumers desire their brands to reflect the same ethical and privacy-focused considerations as they do. 

Major companies such as Meta, Sephora and TikTok are facing an uphill battle to rebuild consumer trust following their public privacy failings. This means that smaller and more agile organizations can seize a competitive advantage and challenge established industry leaders through integrating innovative privacy architecture.

Consider the following three areas as ripe for innovation:

• Agility in adoption – Integrating privacy architecture pre-emptively throughout an organization will support future-planning and enable the rapid adoption of privacy requirements as they develop
• Flexibility in UX – Providing consumers with clear and effective tools to manage their personal data will not only fulfil your organization’s regulatory obligations, but also demonstrate your privacy-credentials and build consumer trust
• Visibility in compliance – Adopting a privacy-conscious mindset and framework can enhance your brand’s reputation and provide a competitive advantage over your competitors; e.g., Apple’s recent ad-campaign was focused on iOS14.5 update and its ability to stop ad tracking and external data collection

It’s better to be first

As the CEOs of TikTok, Meta and others can attest to, it’s clear that US data protection legislation is moving in only one direction. Significant progress has been made on a federal privacy act, as the American Data Privacy and Protection Act (ADPPA) moves towards a vote on the house floor. Pre-emptive action can not only protect your organization from regulatory fines but also act as a key difference-maker for your customers and your brand.

Our team of digital transformation experts can help you design and deploy a cutting-edge automated privacy framework today, using our deep expertise to not only provide innovative solutions to consumer privacy problems but also to communicate these in a way that enhances your brand reputation.