The European concept of data protection as a fundamental right is certainly gaining traction in the United States. Fueled by highly publicized data breaches, abuses, and consumer complaints, the proposals—and in a few cases, enactments—from legislators have taken on a decidedly European flavor.
Comprehensive privacy protections enshrined in the European Union’s General Data Protection Regulation (GDPR) undoubtedly provided inspiration for many of the consumer rights created by the California Consumer Privacy Act (CCPA). And, of course, even outside the U.S., countries like Bahrain, Brazil, and Nigeria have adopted new GDPR-like laws of their own.
State and Federal Actions
Stateside, Washington’s proposed Privacy Act, which failed to advance in the 2019 legislative session, made an explicit reference to the GDPR, stating that “Washington residents deserve to enjoy the same level of robust privacy safeguards.”
On the federal level, Sen. Ron Wyden (D-Ore) recently introduced the “Mind Your Own Business Act” (S.2637). According to Wyden’s press release, the measure “contains the most comprehensive protections for Americans’ private data ever introduced” and “goes further than Europe’s General Data Protection Regulation.”
Indeed, in California, we have already seen the introduction of a new California ballot initiative, which similarly asserts that the CCPA “does not go far enough.”
Notwithstanding this momentum and the desire to propose “comprehensive” privacy protections à la the EU, the expansion of privacy rights in the U.S. will likely be incremental and piecemeal. For example, legislation recently enacted in Nevada and Maine apply only to commercial website operators and internet service providers, respectively.
Given that environment, it’s unlikely that a one-size-fits-all compliance approach will be an option any time soon. Still, as new legislation incorporates elements of the European model, companies subject to those laws can identify common themes in a high-level playbook that integrates layered nuances to account for jurisdictional differences.
One of the recurring themes in privacy legislation is the concept of transparency. Organizations need to let individuals know what information they are collecting and why.
Laws may differ on what needs to be said, who needs to say it, and how it must be said, but an obligation to provide some sort of notice is usually a given.
In light of detailed transparency obligations in the CCPA’s proposed regulations, expect to see California-specific notices as a stand-alone or layered within an existing privacy notice.
Most legislation recognizes that individuals have the final say over what a company does with their information. Statutes commonly create rights to access, request, correct, or delete personal information.
To operationalize these rights, companies need to implement a process by which folks can make—and companies can fulfill—individualized requests.
The elements of that process, however, may not necessarily be set forth in the statute. Nevada, for example, requires operators to provide a description of the process, but does not specify how the process itself must be implemented. Since many service providers are offering customizable programs to track and facilitate these sorts of communications, expect to see an uptick in third-party compliance solutions.
Data security is arguably the element that exposes companies to the most risk, since a breach can subject a company to reputational injury, administrative fines, and monetary damages. A breach of security also triggers an array of notification obligations and timelines across different jurisdictions, all of which need to be accounted for in a compliance program.
Given the risk, companies will likely devote greater resources and bigger budgets to ensure data security. They should also reexamine and, if needed, renegotiate insurance policies to maximize coverage for cyber-related risks.
Enforcement and Litigation
Differing regimes have different enforcement authorities, and private causes of action can arise from unlikely provisions. Most companies are aware of the CCPA’s private cause of action for security breaches, but expect the plaintiffs’ bar to test other theories.
California’s Unfair Competition Law—which allows plaintiffs to sue for practices that are “unlawful,” “unfair,” or “fraudulent”—has been mentioned as a possible alternative to the CCPA’s private right of action. While some would argue that the CCPA expressly prohibits private rights of action under any other law, expect a challenge to be raised nonetheless.
Read about other trends our analysts are following as part of our Bloomberg Law 2020 series.