Tuesday, February 26, 2019


In Europe, privacy is considered a fundamental human right. If you are collecting, using, or sharing personal information of a European resident, you will likely have to comply with the General Data Protection Regulation (GDPR) that became effective May 25, 2018. This single comprehensive omnibus law covers all industries and sectors and applies to all member countries. Penalties for noncompliance can be severe.

The United States does not have a single comprehensive privacy law. Instead, the United States has a patchwork of federal and state laws and has taken a sectoral approach to regulating data privacy. We have laws specific to industries and type of information such as health care, financial services, telemarketing, student records, and the online collection, use, and disclosure of information from children. States enact their own laws including data breach notification laws that now exist in all 50 states. A business that experiences a data breach must comply with the state law where each individual resides.

Great for lawyers, but terrible for businesses trying to figure out compliance obligations imposed by differing state and federal standards and laws regarding data privacy and breach notification.

For the most part, failure to comply with data privacy laws and regulations in the USA may expose a business to a potential enforcement action by a government authority. Such actions by the Federal Trade Commission or state attorney general offices are rare. Private rights of action generally do not exist in data privacy laws.

This is about to change.

The California Consumer Privacy Act (CCPA), which becomes effective January 1, 2020, is the broadest privacy law to date in the United States and will allow consumers a private right of action in the event of a data breach. Technology companies in Silicon Valley and elsewhere are scared to death. They much prefer the limited risk of a government enforcement action. With statutory damages of $750 per incident, a business that suffers a data breach and fails to comply with the CCPA can be looking at huge damage claims. The plaintiff need not demonstrate any harm. This is a game changer in the world of privacy law.

Other states may follow the California approach. Washington State is now considering GDPR-like legislation even more protective of consumer rights than the CCPA.

Is it finally time for the United States to follow the European model and enact a comprehensive federal privacy law?

A recent report completed by the General Accounting Office (GAO) entitled “Internet Privacy: Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility” suggests that the time has come. The GAO evaluated government enforcement actions and interviewed stakeholders from industry, consumer advocacy groups, and academia.

“We found that there is no comprehensive U.S. Internet privacy law governing private companies’ collection, use, or sale of users’ data. Consumer advocates and others told us greater regulatory powers are needed. Most industry representatives we interviewed favored the current enforcement approach and warned that regulations could hinder innovation. We recommended that Congress consider developing comprehensive Internet privacy legislation to better protect consumers.” [U.S Government Accountability Office, GAO-19-52, published January 15, 2019, publicly released February 13, 2019.]

Several Congressional hearings are scheduled to consider the GAO report and possible federal privacy legislation, including the House Energy and Commerce Committee on February 26 and the Senate Commerce Committee on February 27.

There are legislative proposals currently being considered in Congress including the American Data Dissemination Act, the Data Care Act, and the Consumer Data Protection Act. The United States Chamber of Commerce has released model legislation that would supersede the CCPA and other state data privacy statutes.

While this proposed legislation varies in scope, definition and substance, the legislation shares common themes. The proposed laws often require some form of baseline data security safeguards for organizations that collect, store, use, or share personal information. They may grant the FTC rulemaking authority and more enforcement power. None of them includes a private right of action.

The lobbying for a comprehensive federal law to preempt the multiple state data privacy law mishigosh (Yiddish; not a legal term) has intensified.

Fearful of the CCPA, businesses would love to see a federal law enacted before January 1, 2020 and preempt the CCPA as well as any new Washington or other state law that attempts to offer a private right of action or other enhanced privacy rights to consumers.

Can 2019 be the year we finally get a comprehensive federal data privacy law? Based on my experience in past years and the current inability of Congress to pass any meaningful legislation, I doubt it.

I do, however, recommend that businesses get ready for the CCPA. January 1, 2020 will be here sooner than you think and with it a new private right of action. Let the lawsuits begin.

No comments :

Post a Comment