Salesforce Public Policy Experts on What’s Next for U.S. Privacy Law
The year ahead could be an inflection point for privacy law in the United States. In this interview, Salesforce’s Ed Britan, Head of Global Privacy, and Hugh Gamble, Vice President, Federal Government Affairs & Public Policy, share why that’s the case — and reveal how companies can keep pace in a climate of mixed regulations and expectations.
Q. How are global organizations and governments approaching data privacy today?
Britan: Governments and companies want more control over their data, to be accessed when, where, and how they intend.
And, they increasingly want to keep their data within certain jurisdictional boundaries. At Salesforce, this happens through Hyperforce for data residency, and with the Hyperforce EU Operating Zone, which will ensure that customer data is stored and processed solely within the EU with 24/7 customer and technical support delivered by EU-based personnel.
We’re also seeing customers increasingly seek out products that help them meet their global legal obligations, such as new rules in the California Privacy Rights Act (CPRA) and other U.S. state laws around collecting and managing customer engagement preferences.
We’re really focused on helping customers comply with these kinds of obligations with our Privacy Center product and other products that support Global Privacy Control-based opt outs and consent management.
Q: What is the impact of the United States’ failure to pass a federal privacy law?
Gamble: The U.S. Congress made progress with last year’s draft federal privacy law; the American Data Privacy Protection Act (ADPPA). Many organizations, including Salesforce, were championing the law, but it ultimately stalled as Congress tackled other priorities.
The continued lack of a federal law encourages individual states to take action. This is a challenge for companies in every industry, because they have to comply with varying laws in different jurisdictions in addition to international regulations.
Q. What will it take for the U.S. to enact a federal privacy law?
Gamble: We believe that privacy is a fundamental human right and should protect users in whichever zip code they reside.
A bipartisan privacy agreement in Congress, if reached, could be a prime candidate for passage in a political environment where there are precious few opportunities to work across the aisle.
As with any newly-elected Congress, some new faces have emerged as key stakeholders on the committees relevant to privacy. And, initial commentary shows that members understand the need for a federal law.
If they use the draft agreement (ADPPA) from the last Congress, which attracted ¾ of bipartisan leadership in the House and Senate Commerce Committees, they’re closer to a workable agreement than most realize.
Q. How are companies in highly regulated industries (e.g., healthcare and financial services) navigating this patchwork of data privacy compliance?
Gamble: Highly regulated industries, like healthcare, have additional rules governing their specific sectors, such as the Health Insurance Portability and Accountability Act, commonly known as HIPAA. A national privacy law could assist in providing clarity around privacy related to medical records, data collection, storage from mobile medical devices, and more.
The varying rules also impact consumer privacy. Just look at the rise of consumer AI through ChatGPT. The EU is again leading the way in this space and is on a path to regulating AI technology.
The United States is again lagging; the draft ADPPA had provisions related to algorithmic assessment that would help govern these kinds of fast-moving applications of AI, and a lack of rules could expose some users while deterring responsible, risk sensitive customers from adopting AI solutions.
Q: Are consumers comfortable with the status quo when it comes to data privacy? Or are you seeing a push for more protections?
Britan: Consumers are demanding privacy protections more loudly than ever.
The Salesforce Connected Customer report notes that 74% of consumers say companies collect more personal information than they need, and 64% say most companies aren’t transparent about how they use personal information.
The vast majority of consumers want to engage online and they understand that this necessitates the sharing of their data. However, they also want to be able to control what data is collected, how it is used, and to know that companies will be held accountable for using data responsibly.
Q: How can companies balance consumer privacy considerations with business goals?
Britan: Companies are embracing the use of first-party data for responsible and effective engagement. Third-party targeted advertising is being rapidly phased out by laws and market pressures, but companies still need to engage with people. Fortunately, there are tools, such as Salesforce’s Data Cloud, that help companies use the data they collect directly from customers to effectively and responsibly engage with those customers.
The benefits of using first-party data for customer engagement are clear for privacy and business purposes:
- It comes directly from individuals, with their explicit consent.
- It comes with contact information and opens up the possibilities of direct communication.
- It comes with a clear understanding that a company’s consumers are interested in the company’s product or service.
Q: Are there baseline standards for companies to follow in order to increase trust with their customers?
Britan: Customers are increasingly demanding that their service providers demonstrate that they meet their legal obligations and are worthy of being trusted. At Salesforce, we show our commitment to privacy in ways including:
- Our Binding Corporate Rules (BCRs), which reflect the gold standard for operationalizing data protection and safeguarding cross-border transfers; and have approval from all EU data protection regulators.
- We have verified adherence to the EU Cloud Code of Conduct, a first-of-its-kind charter that enables cloud service providers to demonstrate compliance with the GDPR.
- We have obtained certification for the APEC Cross Border Privacy Rules (CBPR), which, along with our Privacy Recognition for Processors certification, will seamlessly transition to the Global CBPR Forum and facilitate global data flows.
- We have enabled customer compliance with U.S. state privacy laws. We also ensure that our products support Global Privacy Control-based opt outs and consent management.
Q: How can the United States work with other countries to protect consumer data?
Britan: The United States must first pass a comprehensive privacy law that builds upon global standards, and then work multilaterally — rather than unilaterally — to globalize rules of the road for the internet and government access to data.
Passing a law demonstrates that the U.S. shares the value of privacy with the rest of the world and is serious about working cooperatively with other countries to protect it.
Like-minded countries need to come together to agree on global standards. Government access to data is an underlying concern that is driving global privacy laws and that needs to be addressed with global solutions.
The recently adopted OECD Declaration on Government Access to Personal Data held by Private Sector Entities provides a strong baseline on which global rules should be based. The U.S. should work cooperatively with all countries that share our values to incorporate these principles into law.
- Visit the Salesforce Privacy Center and Salesforce’s Public Policy Page.