Thursday, December 19, 2019

Will 2020 See a Comprehensive Federal Privacy Law?

I just finished presenting my second webinar on the new California Consumer Privacy Act (CCPA), which becomes effective January 1, 2020.  Not a lot of time left to get ready.

Businesses are frantically performing data mapping to find out what personal information they collect on California residents and for what purposes, revising their website privacy policies, implementing data security safeguards, reviewing vendor agreements, creating new procedures to respond to consumer requests for access to or deletion of data, purchasing cybersecurity insurance, and other activities necessary to comply with the CCPA.

Many are fearful of the lawsuits likely to follow as a result of the CCPA’s private right of action and provision for statutory damages of up to $750 per incident in the event of a data breach. If records of 50,000 California residents are involved in a data breach, and the business failed to have reasonable data security in place to protect against the breach, a potential claim under the CCPA could exceed $37.5 million. What’s more, under the CCPA, a plaintiff’s lawyer does not need to show any actual harm to an individual caused by such a data breach.  

This private right of action — and potential class action lawsuits enabled by this right — are scary.  

Similar to the CCPA, the Illinois Biometric Information Privacy Act (BIPA) — that regulates the collection, capture, and storage of biometric identifiers such as fingerprints, voiceprints, and retina/iris scans — also provides for a private right of action. Under the BIPA, a person can recover liquidated damages of up to $5,000 or actual damages, whichever amount is greater, for an intentional or reckless violation of the BIPA. In 2019 alone, there have already been over 160 class actions filed asserting BIPA violations. The Telephone Consumer Protection Act (TCPA) is another privacy related law with a private right of action that has led to an explosion of private lawsuits and multi-million dollar settlements. 

With statutory damages, private rights of action, and no need to allege or prove any actual injury or harm, BIPA, TCPA, and now the CCPA are open invitations to plaintiffs’ lawyers looking for potentially lucrative class actions.

Many of us thought that the CCPA private right of action would be the impetus necessary for a comprehensive federal law to regulate data collection activities and replace the current patchwork of multiple state and federal laws. Facebook, Google, and other tech companies have actively lobbied for such a new federal law to preempt the CCPA and other copycat state laws.  

As we draw close to the end of 2019, Congress is, however, busy dealing with other matters.

There was a glimmer of hope this past week after legislation known as the Consumer Online Privacy Rights Act (COPRA) was introduced in the U.S. Senate. This digital privacy act would offer U.S. consumers the same types of data privacy protections as the European General Data Protection Regulation (GDPR), including transparent privacy policies and reasonable data security practices. It would also create a full-staffed bureau directly within the Federal Trade Commission (FTC) to enforce those privacy rights. 

But the current draft of the COPRA legislation would not pre-empt the CCPA and would allow individual states to craft their own privacy legislation. We may thus still end up with 50 different versions of the same law — one for each state. So much for eliminating the patchwork mess of state and federal data privacy laws that we have today.  And the current COPRA draft also includes a private right of action allowing citizens to sue companies. 

The private right of action and non pre-emption of state laws will make it difficult for the current version of COPRA to garner much business support in 2020. At least eight other federal legislative initiatives are being discussed with varying levels of bi-partisan support. We will just have to wait and see.

In the meantime, enactment of the CCPA and other copycat state laws in 2020 may add momentum to efforts at the federal level to find a comprehensive law that enhances privacy rights for individuals and lessens the compliance burden on businesses. While we can hope for a comprehensive federal data privacy and security law in 2020, businesses had better implement reasonable data security programs now and get ready for the likely lawsuits to follow once the CCPA takes effect January 1.

No comments :

Post a Comment