GDPR for the US? Data Privacy Laws May Be on the Horizon

Written By

Lynne McNamee

Pamela Hogle

January 18, 2019

With so many new eLearning technologies available and increased pressure from executive leadership to get better reporting and results from existing systems, learning professionals are under greater pressure to collect and use the data these systems provide. However, this coincides with greater restrictions on what data can be collected and used, not just by social media sites or companies in the EU. Be aware that data privacy laws and regulations soon could affect U.S. businesses, including L&D teams.

Business Roundtable, an organization representing more than 200 CEOs of leading American companies, is recommending that Congress pass a federal data privacy law. Even if no federal data privacy law is enacted, California passed a data privacy law in June 2018 that will take effect in January 2020—and other states might follow suit.

Data privacy has become a hot political topic as revelations about tech company abuse and the theft of customer data flood the media. The existing and potential patchwork of state laws and industry-specific regulations is the impetus for Business Roundtable’s recommendation for a single clear—and comprehensive—law. According to Cat Zakrzewski, writing for the Technology 202, a Washington Post tech policy newsletter, the Roundtable suggests:

  • Bringing various industry-specific regulations into harmony by streamlining them into a single federal law governing data collection practices
  • Encouraging companies to self-regulate in some areas, such as how they design privacy protections into their products and how they assess their privacy practices
  • Providing some flexibility for companies to determine how to provide consumers with information about they use customer data and how consumers can access, change, or delete that data
  • Creating a standard for how to notify customers of data breaches

Microsoft’s president, Brad Smith, went a step farther, recommending that a federal law address use of facial recognition software, as well as data collection and use. Microsoft’s suggestions include limiting the use of facial recognition software for surveillance in public spaces to life-or-death emergencies and situations where a court order has been obtained; requiring that companies using the technology comply with anti-discrimination laws; and demanding transparency regarding the technology’s limitations.

A potential model

California’s law taps the state’s attorney general to monitor privacy practices and bring cases against violators. The rules closely resemble Europe’s GDPR. Unless it changes, California’s law will:

  • Allow consumers to see what information businesses have collected on them and request that they delete that data
  • Prohibit businesses from selling personal data from users under age 16
  • Prevent tech companies from providing lower levels of service to users who choose not to have their data sold
  • Allow consumers to access information on the types of companies that their data was sold to
  • Allow customers to tell companies to stop selling their data

California’s law is aimed at protecting consumers, but the data that businesses collect on employees could also be affected.

Although GDPR is a European law and enforcement is in its infancy, it has triggered changes in how U.S. businesses handle data. “The GDPR … has already forced the Bay Area’s biggest firms to make it easier for consumers to retrieve their data and have it amended or deleted, and to ensure that data isn’t being collected and shared without consent. Once these changes have been made, the idea of having the same rules apply elsewhere becomes less outrageous,” David Meyer wrote in Fortune in November.

What might this mean for eLearning?

It’s too soon to tell what a federal data privacy law might look like, but it’s a rare area of bipartisan interest in the current Congress. “Legislators want to legislate, and will seek some opportunities for bipartisan agreement. One area where this may happen is federal legislation to protect personal information privacy,” wrote Cameron Kerry, of the Brookings Institution.

Even without knowing the scope of any future U.S. data laws, CLOs and L&D team leaders might want to start thinking about how they might treat data differently. As Lynn McNamee wrote in Learning Solutions, “It is worth keeping in mind the potential pitfalls while crafting a data plan and data policies to ensure that the letter and spirit of the law, and employee trust, are protected.”

A federal data privacy law is likely to include a definition of data and touch on how data are collected, used, stored, and removed—all areas that could affect collection of eLearning data. GDPR targets profiling based on data and other forms of automated decision-making. This could change the ways L&D designs adaptive learning, for example, or uses AI to personalize eLearning.

Data privacy is an area that executives and L&D managers should keep an eye on as 2019 takes shape. The eLearning Guild continues to explore the use of data in eLearning and will feature a Data and Measurement track at Learning Solutions 2019 Conference and Expo. Join us in Orlando and keep informed on the latest news and trends affecting eLearning design and development.

More Executive

You May Also Like