Privacy legislation: The road ahead

Midway along my drive to work each morning, I gain the freedom to unbuckle. New Hampshire, known for its “Live Free or Die” motto, is the only state in the union that views my seatbelt use as optional. As I cross state lines from Maine to New Hampshire, the rules of the road change.

Increasingly, the same can be said for the laws governing privacy. While those patrolling the beat might understand the jurisdictional boundaries; technologically, they’re often irrelevant, forcing many organizations to pay attention to all such laws at once.

It’s a winding road ahead.

As privacy professionals driving new technologies forward peer beyond their dashboards, a rapidly changing US landscape is unfolding. The US privacy regime is already complex. It features a host of sectoral laws at the federal level, FTC enforcement of unfair and deceptive practices to plug the holes, 50 plus data breach notification laws, mini state-level FTC acts, a smattering of state privacy laws, and an aggressive plaintiff’s bar. While that’s a lot to grapple with, the pace of change in privacy laws, and the technologies they seek to regulate, is only accelerating.

It’s worth looking at where we are, where we’re headed and what might help those who are behind the wheel or just along for the ride.

State-level momentum

As CCPA 1.0, 2.0 and a multitude of state-level privacy proposals crowd the horizon, US Supreme Court Justice Louis Brandeis’ introduction of both the US “right to privacy” and the notion of state legislatures as “laboratories of democracy” seems increasingly prescient.

CCPA 1.0

Right now, the California Consumer Privacy Act is front and center. CCPA goes into effect January 1, 2020. Enforcement is slated to begin six months later. The CCPA is unprecedented in some respects, requiring covered businesses to allow California residents to opt out of the “sale” of their personal information to third parties via a mandated “Do Not Sell” button on their websites. The impact of that novel requirement might be minimal if the term “sell” were narrowly defined, but it isn’t. A sale occurs when an organization shares personal information with a third party for “valuable consideration.” While there are exceptions, the breadth of valuable consideration could capture a lot. Other CCPA requirements are more familiar and reminiscent of the EU General Data Protection Regulation, including access, deletion and transparency requirements. However, they are still new under US law, difficult to provide to only one geographic locale and will require companies across the US and around the globe to once again update privacy policies and data processing agreements. Understanding and implementing these new requirements will require close collaboration across and between organizations.

CCPA 2.0

As privacy professionals awaited CCPA regulations from California’s Attorney General and geared up to discuss necessary updates with colleagues on engineering, design, security, legal and product teams, the landscape shifted once again. On September 24, Alastair Mactaggart, who launched the ballot initiative that led to CCPA, launched yet another. The California Privacy Rights and Enforcement Act of 2020, or CCPA 2.0 as it’s been termed, would amend the CCPA. If adopted, it would create new privacy rights, many aligned with the EU GDPR, and heightened protections for sensitive personal information. The CPREA would establish a new privacy enforcement agency, impose stronger penalties for misuse of children’s data, and mandate disclosure of the logic involved when profiling has a significant adverse effect on the consumer. Greater transparency related to personal data use in election campaigns is also envisioned. While Mactaggart faces an uphill battle and a requirement for 623,212 signatures to place his initiative on the ballot in 2020, polling suggests Californians are overwhelmingly with him.

Other state legislation

State-level privacy legislation is gaining momentum quickly. Developments in California are understandably the number one focus right now, but many other states have put forward or are contemplating legislation. Maine and Nevada have already adopted new laws. Current proposals have some major commonalities. These include consumer rights to access, opt-out, deletion, and the portability of their data. Many include business transparency obligations and a prohibition on discrimination. Industry interest in the private right of action included in over a handful of them is high. Some proposals also feature unique elements with the potential to create conflicting requirements as data moves across those invisible state lines. Several of those without legislation just yet have established task forces to study the issue and plan to put forward recommendations soon.

The federal traffic jam

The US Congress is a bit of a traffic jam. There are a multitude of proposals, but considerably less momentum. Still, privacy has traditionally transcended partisan politics, so a sufficiently large state law collision could propel a bill forward quickly. It’s an arena well-worth tracking. This year alone, Senators Rubio, Klobuchar, Mastro and others have all sponsored privacy bills and strengthened FTC oversight and enforcement authority are a common theme among them. Privacy groups, industry associations and even private companies have also offered up their own legislative discussion drafts. These include proposals from the Center for Democracy and Technology, the US Chamber of Commerce, Intel and others. While the immediate next step is unclear, rapid change in the state landscape could lead to federal action.  

Intersections ahead

With the potential for many divergent state-level laws, and federal lawmaking somewhat stalled, privacy professionals are searching for areas of convergence. A few paths ahead merit consideration.

One federal initiative is moving forward quickly. The National Institute of Standards and Technology plans to publish version 1.0 of its Privacy Framework before year’s end. The NIST Privacy Framework aims to bridge the gap between security and privacy. It is designed to be implemented alongside NIST’s Cybersecurity Framework to help organizations identify and manage privacy risks. Its authors seek to forge a common language to help privacy professionals across an organization communicate effectively. By outlining a set of privacy controls, presenting considerations for privacy engineering rather than a rights-based regime, the Framework could also rise above legislative differences.

International standards and certification regimes could play a similar role. The International Standards Organization recently released ISO 27701, a privacy information management standard, as an extension to ISO/IEC 27001 and 27002 security standards. ISO 27701 was designed with an eye to GDPR certification but is now being mapped to privacy laws around the world. The IAPP’s Westin Research Center has also mapped it to the IAPP’s CIPM and CIPP/E certifications to offer insight into the professional skillset necessary to implement a global privacy standard. Other privacy standards remain under development, including within ISO, IEEE and elsewhere.

Academic scholars too are charting new paths and identifying areas of intersection. Cybersecurity and privacy are increasingly taught in tandem in higher ed. Engineering programs are just beginning to team up with law schools to offer interdisciplinary training. And, leading scholars are pointing to other legal and non-legal disciplines for solutions. Woody Hartzog, for example, cites product safety law and design as inspiration for the next generation of privacy rules. I might note that while each state in the union has taken its own stance on my right to unbuckle, the federal government made crystal clear through the Motor Vehicle Safety Act that the seat belt must be installed.

We best buckle up. It’s a busy road ahead.