When will the United States start taking privacy seriously?

October 28, 2022

Ever since its founding, the United States has had an adversarial relationship with Europe. It doesn’t like to take cues from across the pond. It likes to forge its own path, for better or worse. Take football for example. Not American football—REAL FOOTBALL. 

Soccer has been the world’s game for decades and despite a lot of effort to change this fact, it’s fourth or fifth in the pecking order for major sports in the US. American football will always be king.

When you compare the two side by side, there are a lot of similarities. Both have 11 players on each side, both can tie game strategy back to military strategy, the size of field is roughly the same and yet the US has never taken a shine to soccer. Maybe it’s the lack of violence, but that’s a topic for another blog.

You might wonder why I bring all of this up in a post about privacy. Well, just like sports, the US doesn’t like to emulate the security and privacy policies that originate in Europe. The current global standard for privacy is GDPR, which was passed in 2018 in the UK and impacts companies who collect customer data from that country.

GDPR is risk-based and it requires a lot of time, money, and effort to maintain, but is it broad enough to protect the ever-changing technology landscape. When it was passed, there were significantly less SaaS-based companies collecting and storing customer data that could be shared or even sold against the users will. 

Now, virtually every interaction that happens online requires the sharing of private information and that is only going to increase in the coming years. That begs the question, if GDPR is the current global standard, is it doing enough to protect consumers, and beyond that if the US hasn’t implemented regulations that even meet the requirements of GDPR, will they ever catch up?

Currently, the closest regulation to GDPR in the US is the upcoming CPRA, which goes deeper than CCPA, but it doesn’t require a Data Protection Officer, who’s solely responsible for looking after the privacy of user information.

And a lot of these privacy regulations went out the window in the aftermath of the COVID-19 pandemic. In the beginning consumers were okay with this as we were all sacrificing a little privacy for the greater good of society, but when it started to feel like the government was tracking our every movement, we could see how if this behavior wasn’t checked quickly, this type of government surveillance could be normalized and more difficult to eliminate.

The crazy part about all of this is consumers didn’t seem to care when they found out Facebook was doing the same thing in the aftermath of the 2016 election, but it seemed more sinister when it was our elected officials who were taking advantage of our personal data to track our activities.

Now that consumers have more insight into how far reaching access to their personal information could be, they are more inclined to support measures that restrict companies and governments from accessing and using that data without their permission. So what are the next steps in the evolution of privacy regulations?

We now live in a world where most companies have outsourced their data centers, which makes us wonder how much we really know about who has access to our data. And it’s not just the third parties that we work directly with. Fourth, fifth, sixth parties, and more down the line might have some access to a small portion of our data. As a result, how can we ever be truly sure that our data is being protected?

This is where vendor risk management comes into play. A tool like Whistic is purpose built to help businesses not only identify inherent risks in potential vendors, but helps you monitor risk of vendors over time through integrations with tools like Vanta, Drata, and RiskRecon. In the past, this process was cumbersome and time-consuming, but Whistic enables you to automate much of the process, saving you time and person-hours that can now be reallocated to help secure your environment. 

I bring all this up to say that the best way of ensuring privacy of your data is knowing where your data is and what residual risks your organization faces. Whistic’s vision is much larger than just trying to fix the vendor assessment process. Our goal is to create a network of companies where transparency is the top priority. Where businesses proactively publish and share details about their security posture without waiting for the last minute.

That’s why we founded the Security First Initiative to promote transparency and why we make Basic Profile free to any business that wants it. Because we know when more companies are transparent about security and privacy policies and are taking a collaborative approach to protecting data, the more secure that data will be.

It’s hard to say if the United States will ever catch up with global privacy standards, but in a perfect world, businesses will take it upon themselves to take the necessary measures to protect customer data. If that happens, it’s a win/win scenario for everyone involved. Customer data is protected and everyone is protected from government overreach into our privacy that we saw during the COVID-19 pandemic. 

Written by Jake Bernardes, VP Security & Compliance at Whistic. Presented at SaintCon 2022. 

information security cybersecurity vendor risk assessment vendor security review vendor security management

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.