“The arrival of the Kentucky, Indiana, and Rhode Island laws should not be celebrated as progress,” said Ted Miracco, chief executive officer at Approov. “The U.S. remains the only major global economy that treats human privacy as a local issue rather than a national security imperative.”
Miracco said it’s an especially egregious failure at a time when our industry enters the era of
Denis Calderone, chief operating officer at Suzu Labs, added that of the three new state laws, only Rhode Island has raised the privacy bar.
Rhode Island’s legislation has a proactive disclosure requirement that forces companies to publish who they’re selling data to by name, not just category, without waiting for consumers to ask, Calderone explained.
“That goes beyond what even the
Calderone pointed out that if proactive disclosure works at the state level without the industry collapsing, that removes the “too burdensome” objection that has stalled federal legislation. On the flip side, Calderone said history suggests that it could end up weaker than the strictest state requirements — not stronger — the louder the industry pushes for a national privacy law.
“Companies betting on federal law to simplify their lives might get a floor, not a ceiling,” said Calderone.
Industry affect of global patchwork of regulations
Heath Renfrow, co-founder and CISO at Fenix24, added that despite the challenges of managing all the different laws, state attorneys general are becoming more sophisticated, and privacy enforcement increasingly overlaps with breach response, incident investigations, and cyber insurance scrutiny.
“In a fragmented regulatory environment, the organizations that fare best are the ones treating privacy as an operational capability — embedded into security, recovery, and resilience — rather than a once-a-year compliance update,” said Renfrow.
Tim Mackey, head of software supply chain risk strategy at Black Duck, pointed out that managing a tapestry of privacy regulations in the U.S. isn’t easy, but it’s not just an American problem. Companies over the years have had to maintain compliance with multiple global regulations in which the legal frameworks are often fundamentally different than where the business is headquartered, he continued.
“One tactic in dealing with privacy requirements is to distill them down to essential requirements and then implement strong governance around those requirements,” said Mackey. “It’s far more than just a least common denominator effort. Instead, it should be thought of as establishing a guidebook for internal teams to know when they are on the safe side of the line and encourage them to engage if they find themselves straying closer to the line.”
