For those of us in the privacy profession, 2019 was a year of constant change, with the already complicated world of data privacy law evolving on critical issues in real time. 2020 already appears to be on a similar trajectory, as we can anticipate a series of substantial developments in the area.
What are the key issues to be watching in 2020?
The California Consumer Privacy Act
I am tempted to have the impact of the CCPA be all five of my top five. Instead, it’s clear that analyzing and implementing the CCPA in 2020 will be a major challenge for companies across virtually every industry sector. We can anticipate an impact that mirrors the European Union’s General Data Protection Regulation (GDPR) process in the spring of 2018, with less clarity, a shorter time frame to work with, and an even more confusing set of obligations.
It is clear that, regardless of your view on the general substance of the CCPA, the language of the law remains a mess. In addition, because of the intersections of the law’s provisions across data flows, it will be even more important to prepare early and address complicated issues with business partners up and down the line.
The fact that the regulations are not yet finished and that there likely will be a new referendum in November 2020 is not making any part of the CCPA compliance easier.
The EU’s GDPR
The GDPR can serve as a loose model for how many companies are thinking about CCPA. The analogy is imprecise at best, but many of the activities undertaken for GDPR compliance will prove useful for the CCPA (such as any skills learned in GDPR data mapping, even if CCPA applies to different data).
We are now moving toward GDPR 2.0—where enforcement is beginning and companies are grappling with some of the operational challenges of the GDPR (such as many of the individual rights and the largely unworkable breach notification provisions).
Thrown on top of this is the ongoing Brexit problem (obviously a bigger problem than just privacy but causing mass confusion for privacy) and the potential disruption of EU-U.S. data transfer mechanisms—along with meaningful concern about actual enforcement with significant fines.
The Federal Trade Commission
Throughout the modern era of privacy regulation, the FTC has been the primary and most visible regulator. Most of its actions, however, have focused on data security issues more than privacy. In 2019, it began to flex its muscles, shattering financial records in its enforcement activity.
There are a variety of new investigative proceedings underway (along with multiple efforts at revising existing rules), and the industry is paying lots of attention to every move that the FTC makes.
At the same time, it is clear that, in many situations, the FTC is hampered to some degree by its primary enforcement tool—which generally does not provide the means of financial penalties in the first instance. The FTC clearly is looking to up its game on privacy enforcement.
Impact of State AGs
The FTC also faces some competition of its own as the top privacy and security regulator, from an increasingly aggressive set of attorneys general.
The authority of most state AGs on privacy mirrors the core consumer protection elements of the FTC’s authority. At the same time, the state AGs are not hampered by some of the procedural and substantive limitations impacting the FTC.
In 2019, the state AGs began to use their authority—individually and collectively—in a much more aggressive way. These coordinated cases are of increasing concern to industry (as are some ongoing “uncoordinated” cases).
We will watch in 2020 whether this expansion of enforcement—in volume of cases and dollars— continues to grow, and whether the state AGs will engage in substantive privacy regulation only where companies have truly engaged in inappropriate behavior, or whether the state AGs will become much more political in their ongoing activity.
National Debate/Tipping Point
The privacy wild card is the ongoing debate on a national privacy law. We’ve had this debate for almost 20 years now—with virtually no meaningful progress to date. Now, the combined impact of the CCPA, the GDPR, and a variety of prominent privacy and security scandals have made a national privacy law increasingly likely.
At the same time, because of both substantive concerns and the overall state of play in Congress generally in a particularly turbulent presidential election year, “increasingly likely” does not at all mean it will happen in 2020. In fact, the overwhelming odds do not favor any new national privacy law in 2020.
In 2021—regardless of who is president—all bets are off.
Moreover, the true wild card for 2020 is whether other states will follow California’s lead—particularly if they follow it with their own laws that do not track California (which, given the California history, is quite likely). If we see three to five states passing a broad privacy law in 2020, then national movement becomes much more likely—although still not before 2021.
Privacy professionals have their work cut out for them. We are already seeing incredibly sophisticated and challenging CCPA questions and increasing concern about the growing volume of privacy enforcement from a broad variety of agencies.
This is an issue that is now a first tier concern and compliance challenge for companies across all industries, who are using, disclosing and analyzing the expanding universe of personal data in their daily business activities, driven by increasing possibilities. With this important opportunity, comes greater risk.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Kirk J. Nahra is a partner with WilmerHale in Washington, D.C., where he co-chairs the global Cybersecurity and Privacy Practice. He represents companies in a wide range of industries in analyzing and implementing the requirements of privacy and security laws across the country and internationally, including advice on data breaches, enforcement actions, big data issues, contract negotiations, business strategy and overall privacy, data security and cybersecurity compliance.