Contact Us

The Privacy Tipping Point

Federal Privacy Regulations

Is 2019 The Year for Federal Privacy Regulations?

Over the past year, we’ve written about GDPR, the proposed California’s Consumer Privacy Act (CCPA), and support of the GDPR technical controls within our product offering.  Though a minority of the states are modeling proposed privacy regulations on GDPR or CCPA, there has been no unified action at the national level due to differing viewpoints.  Luckily, we’ve reached a tipping point, and if 2018 was the year that breaches became the topic of common discourse, 2019 should be the year that we’ll see real action taken to protect our privacy. 

Federal Privacy Security


In a Feb 5th opinion piece, the New York Times called for the Federal Trade Commission (FTC) to step in regarding Facebook’s application integration plans.  A way to look at this is for the FTC to take a more expansive role, not only looking at traditional metrics such as pricing but also taking into potential negative impacts on privacy.

As the Times points out, the proposed integration not only introduces additional privacy concerns due to data sharing across applications where users expect different privacy guarantees, it is also possible that Facebook is attempting to fast-track the consolidation to head off potential future FTC anti-trust action.  It may seem obvious, that if the services are in fact combined, all current users will need to accept the revised privacy terms, with their accounts placed in an inactive mode until which time they accept this.

Adding fuel to the fire, as I write, the German regulators have ordered Facebook to radically change how the company gathers and uses information, considering it a violation of privacy to gather data from 3rd parties, even if publicly available, for the purpose of profiling individuals.  Whether other countries take the same view is yet to be determines.

Where does that leave us?  One area of disagreement is between internet properties that rely on the monetization of user data (including advertising) and those that have less skin in the game.   Cisco, not surprisingly, has recently come out in favor of a GDPR-like regulation on the national level.  Apple straddles both domains and has also voiced approval.  Note that companies that do business in the EU are in fact subject to many GDPR provisions already, and those tech firms based in California will be subject to CCPA.  That leaves Facebook, Google, and others, their viewpoints evident in the controversy mentioned earlier.  

If the new Congress does its work, it will develop legislation that places personal privacy first, and the affected internet properties will understand that any action now will head off potentially more stringent regulations in the future.  They must also take into account any state regulations, and not attempt to pass a regulation that offers weaker guarantees.  Though some consider this hybrid approach onerous, it, in fact, can be effective such as with California’s auto emission guidelines.  And, as soon as we place a federal privacy regulation behind us, we can spend time on an issue just as important, or even more important: Security the Internet of Things.

For information on automating compliance in your organization visit


© 2019 Cavirin Systems, Inc. All rights reserved.