The new decade has barely begun, and the world of privacy already seems set to change quickly. Here is a brief overview:
New Laws In Effect as of January 1
On January 1, 2020, new data breach notification requirements went into effect in three states: Texas, Oregon, and Illinois. Each law has a unique twist on privacy-related notifications (and thus places additional burdens on businesses):
- Texas places a definite time limit on notifying individuals after a breach occurs: 60 days (and not “as quickly as possible”).
- Oregon extends notification obligations on vendors, which must notify the state attorney general if the breach involves more than 250 Oregon residents.
- Illinois requires “data collectors” to notify the state attorney general if more than 500 Illinois residents are affected by a breach.
In addition to these new notification laws, a new artificial intelligence law in Illinois has also gone into effect: the Illinois Artificial Intelligence Video Interview Act. The new law requires an employer using AI during the interview to (1) notify the applicant of the use of the technology, (2) provide an information sheet explaining how the technology works and is going to be used, and (3) obtain the applicant’s consent before the technology is used.
More States Begin Thinking Like California (and Europe)
The California Consumer Privacy Act (CCPA) is not only a big deal for organizations doing business in California that obtain or use personal information; it’s also a big deal for everyone else. States are now clearly looking to California as a model for their own, new, more robust privacy laws. As examples:
- A bill introduced in the Virginia House of Delegates proposes data privacy rights similar to the CCPA and European General Data Protection Regulation (GDPR); defines “data controllers” who have responsibility for effectuating privacy rights and disclosing information; and requires controllers to perform data risk assessments on data processing activities.
- The Nebraska legislature introduced a bill that provides consumers the right to know what information is being collected about them as well as an “opt out” of the sale of their personal information, similar to the CCPA’s opt-out requirement.
These bills are just beginning their legislative journey, so they are subject to amendment as well as public hearings before they come up for a full vote. Whether they become law or not, it is clear that California has provided a template for other states to follow.
California Continues to Be a Moving Target
The CCPA is now in effect, although the California Attorney General won’t begin enforcing the law until July 1, 2020. The AG submitted proposed regulations in October, and after a public notice and comment period ended on December 6, is as of this writing in the process of either revising them or (more probably) finalizing them. The regulations are a critically important piece of the enforcement puzzle, and without final regulations businesses can be excused for thinking that their own compliance programs entail more than the usual amount of guesswork for a new law. While AG Becerra has suggested being merciful toward organizations that are making good faith efforts toward compliance in the face of uncertainty, hoping for mercy is not generally speaking a recommended legal strategy.
As if that isn’t bad enough, a new California privacy law introduced in September 2019 — which proposes data minimization and processing restrictions, among other things — could create a new round of resource-intensive efforts to comply with the information protection laws of the 5-th largest global economy. Where California will land in the foreseeable future seems to be a frustrating parlor game.
What can we glean from this dizzying array of legal change?
- Illinois’ data laws are particularly robust. Between heightened notification laws, a rigorous Biometric Information Privacy Act that is currently the subject of several class action disputes, and a first-of-its-kind Artificial Intelligence disclosure law, Illinois offers a unique blend of forward-thinking data protection laws and is already thinking seriously about how AI is going to play a role in our data future.
- States are moving toward greater protections of specific rights. Whether any particular state’s attempts to move the data protection needle in a more robust direction is successful, the trend toward defining specific rights (such as deletion, access, or sale opt-outs) and creating a legal regime around those rights is not going away.
- States are explicitly including more actors in their privacy laws. Whether the law defines vendors, controllers, or data brokers and creates obligations concerning them, states are increasingly aware that data flows are complex and touch many different actors, and are concerned about holding actors within the data flow stream accountable.
- National legislation seems more necessary, but is probably still far away. Both a Republican and Democratic version of a comprehensive data privacy law have been introduced in the U.S. Senate. Both arise out of real concern among federal lawmakers about the need for standardized privacy protection. But despite this bipartisan recognition, election year dynamics and the complexities of solving the problems of preemption (that is, what to do about more robust state-level privacy laws) and private rights of action (should average consumers be able to sue under the law or not) appear likely to keep national data privacy legislation the Zeno’s arrow of legislative efforts.
- Notice is still king. Whether the law is the CCPA, the BIPA, the GDPR, or something else, notice to consumers continues to privacy law’s touchstone. While some might argue that the best privacy laws would focus on making organizations fiduciaries of consumer data, such a sea change seems less and less likely as more jurisdictions adopt the Californian or European model. The law seems to be headed to more or less robust versions of the notice regime.
Perhaps 2020 will be seen as a turning point in privacy law. Then again, is there a recent year when that hasn’t been the case?