6 minute read 22 May 2019
Close-up of man hands touching digital tablet with business diagram

How the consumer privacy policy landscape is evolving


Bridget Neill

EY Americas Vice Chair, Public Policy

Regulatory and policy strategist. Three decades in shaping public policy impacting global financial markets and accounting profession. Passionate about family. Outdoor sports enthusiast.

6 minute read 22 May 2019
Related topics Public policy Assurance

Considerations for businesses and other stakeholders managing through the uncertainty.

The amount and types of data held, shared and used by businesses and organizations have exploded in recent years, spurring policy debates and yielding new and often overlapping regulations aimed at protecting consumer data and privacy. The European Union (EU) General Data Protection Regulation (GDPR), in force since May 2018, and the forthcoming January 2020 implementation of the California Consumer Privacy Act (CCPA) are creating uncertainty and challenges for companies as they navigate the growing jurisdictional fragmentation.

Complicating matters further, several other US states are considering legislation to establish their own consumer privacy regimes. The potential for a growing patchwork of laws within the US and around the world warrants consideration of how such developments impact business models and practices. It also raises questions of how innovation will be impacted as data continues to increase in importance and value to businesses.

In light of these concerns, pressure is building for Congress to establish a national standard that would preempt state laws. The path for federal legislation, however, is fraught with potential roadblocks amplified by Washington’s increasingly partisan environment.

  • Questions for boards and business leaders to consider

    The evolving consumer privacy landscape presents new challenges for boards and business leaders. Companies need to consider how they will respond to and manage potentially conflicting directives. Below are some questions companies can consider as they prepare for a range of potential new requirements in this area:

    • How do new or pending consumer privacy regulations and frameworks impact the organization? How should policies and practices be modified to foster compliance and interoperability with various regimes?
    • How will new or pending privacy regulations and frameworks impact the organization’s strategy, competitive position, and business models and practices?
    • Does the organization have appropriate resources dedicated to implementing required changes and sustainably managing new business processes?
    • How is the organization building workflows and processes that support the intake, management and fulfillment of individual data rights?
    • How is the organization using personal data to support innovation, including artificial intelligence, machine learning and automated decision-making? How would these use cases be received by consumers, employees, the media or regulators?
    • Is there a clear understanding by senior management of the business purpose for the data collected and retained?
    • Are appropriate considerations being given to evolving data remediation requirements? This could include deletion, anonymization and pseudonymization (i.e., the process to de-identify personally identifiable information).
    • Has the organization considered how new or pending developments could impact the following areas? 
      • Employment, supplier, customer and other third-party contractual provisions
      • IT systems dealing with data storage, transfer and security 
      • Compliance programs and procedures, including ongoing monitoring
      • Preparedness plans for a data breach, notification requirements, and related regulatory and reputational issues 
    • Does the organization have capabilities to identify and respond to the policy developments unfolding at the state and federal levels in the US and around the globe?
    • Does the organization understand the need to incorporate and infuse “privacy by design” in the development of new products and processes? 


Outlook on federal efforts

Congressional efforts
Congress is taking up the challenge of trying to establish a single national standard for consumer privacy. As part of the process, some members are reviewing the GDPR and CCPA for potential leading practices and lessons learned. While there is a chance that a comprehensive privacy bill could move forward and be signed into law this year, legislating will be difficult because:

  • Multiple congressional committees have legislative jurisdiction over privacy.
  • States with stricter rules (e.g., California) often resist federal preemption of their rules.
  • Policymakers in Washington have limited expertise and understanding about the operational and technical implications of related policy decisions.
  • The long-standing populist nature of the issue has divided the Republican and Democratic caucuses.
  • The increasingly partisan environment also creates additional hurdles in the lead-up to an election year.

Several members of Congress have introduced data privacy bills, but so far these have been viewed as “messaging” positions and are not expected to advance. Some concepts embodied in these bills could be included in a final agreement as details are negotiated; however, it is the chairmen of the committees with primary jurisdiction over consumer privacy — i.e., the Senate Commerce and House Energy and Commerce Committees — who will drive the process.

As Congress considers privacy legislation, the following concepts are expected to be a part of the debate:

  • National preemption
  • Application to all industries
  • Private rights of action
  • Transparency
  • Consumer rights
  • Consumer choice or consent
  • Enforcement
  • Rulemaking authority
  • Competition

Senate efforts
The Republicans control the Senate but still need to meet the 60-vote requirement to pass legislation. Given the current breakdown, at least eight Senate Democrats would need to support a bill for it to pass and be sent to the House for consideration. The Senate Commerce Committee is undertaking efforts to develop a bipartisan draft bill, but timing and the path forward are not clear. Other committees are also considering their role in consumer privacy reform, e.g., the Senate Banking Committee.

House efforts
Democrats control the House, and many members, including Speaker Pelosi, are likely to have significant concerns about a federal law that would preempt the CCPA or their own state’s efforts (see further discussion in the US state activities section). Many moderate Democrats support preemption. As a result, there appears to be a divide within the party on the foundational issue of preemption.

Some Democrats support the CCPA or GDPR as the floor for federal legislation, others oppose federal preemption and many members have not had enough time to fully consider the issue. There is also disagreement among Democratic leaders on the Energy and Commerce Committee, which has primary jurisdiction over consumer privacy in the House. This is likely to further slow the process. Some House Democrats have suggested that they may have to wait for a bipartisan bill to come from the Senate before the House is able to act.

Trump administration efforts
Heeding concerns from the business community and various privacy stakeholders, the Trump administration announced its support for a national unified privacy standard and called on Congress to establish it after a series of listening sessions driven by the White House’s National Economic Council.

The administration also announced that the National Institute of Standards and Technology (NIST) would undertake an effort to develop voluntary enterprise-level standards designed to help organizations manage privacy risk. NIST released its initial discussion draft of the framework for feedback. Comments will not be made public, and the process is meant to inform NIST’s ongoing stakeholder engagement efforts.

In a parallel and coordinated effort, the Commerce Department’s National Telecommunications and Information Administration (NTIA) released a broad framework outlining the administration’s approach to privacy and invited stakeholders to comment. The NTIA framework was viewed as a signal to the global market about the direction the White House wanted Congress to pursue.

US state activities

About 30 states are in the process of considering consumer data privacy, biometric data rules or updates to data breach statutes. Most of the proposed legislation is not focused on creating consumer privacy legislation as comprehensive as the CCPA. Instead, many states are considering laws that focus on one specific area or industry, such as data brokers. For example, Vermont became the first state to regulate data brokers that collect and sell personal information about consumers with a law that went into effect 1 January 2019.

There are several states, however, that are following in California’s footsteps and considering comprehensive consumer privacy legislation. More details should come into focus as states move forward with their legislative processes.

International developments: GDPR remains most consequential

To date, more than three dozen countries have adopted policies and rules aimed at protecting consumer data privacy, and many more are considering proposals. Of these, the EU’s GDPR is the most impactful. In effect since May 2018, the GDPR includes requirements related to privacy impact assessments, privacy by design, enhanced consent requirements, new data subject rights, appointment of a data protection officer in certain circumstances, new obligations imposed on data processors, 72-hour breach notifications and new accountability requirements.

The GDPR applies to organizations that are established in the EU, where personal data is processed in the context of its EU establishment’s activities. Separately, the GDPR also applies to non-EU established organizations that target or monitor EU data subjects. Most EU Member States have implemented their own privacy and data protection laws that align with the GDPR, with minor and permitted exemptions.

EU Member States’ data protection authorities (DPAs) have taken different approaches to enforcement, and there has been little clarity on the methods used when determining fine amounts. Fines for a breach can be substantial under the regulation — up to 4% of total annual worldwide turnover or €20 million. However, only a relatively small number of reported breaches have been investigated and subject to fines. In these cases, there has been a large disparity in fine amounts, ranging from less than €5,000 to more than €50 million.



This publication examines the evolving consumer privacy landscape in the United States; highlights major international developments, especially with respect to the GDPR; and outlines key business considerations to help companies navigate the uncertainty, plan for changes in the regulatory environment and manage new rules and policies.

About this article


Bridget Neill

EY Americas Vice Chair, Public Policy

Regulatory and policy strategist. Three decades in shaping public policy impacting global financial markets and accounting profession. Passionate about family. Outdoor sports enthusiast.

Related topics Public policy Assurance