U.S. Data Privacy Regime: It’s a Long Road to Efficacy
• read
Written by Guest blogger: David Stauss, partner at Husch Blackwell LLP
With the passage of the California Privacy Rights Act (CPRA) comes the creation of the California Privacy Protection Agency (CPPA) which will have full administrative power to implement and enforce the CCPA and the CPRA.[1] Given that the $3.1+ trillion economy of California is the fifth largest in the world, the CPPA is poised to become one of the world’s most influential data privacy authorities. If the CPRA did nothing else other than create this administrative agency it still would have been substantial.
Of course, the privacy protection challenges do not end with passage of regulation and the creation of a data protection authority. The CPPA must now begin the rulemaking process which was monumental and arduous undertaking when the attorney general tackled it for the CCPA. And this go-round there are three times as many regulations and only little more than a year (with a July 2022 deadline) to do it. But even once that occurs it will take time to clarify ambiguities and translate what is written on paper into the reality of enforcement.
Simply put, you can set anything on paper, ostensibly create even the most onerous privacy regime, but in the absence of enforcement there is no risk to those subject to the regulations. Without risk, and today privacy is risk, businesses will rightly direct energy and resources to more pressing concerns.
Privacy Enforcement Challenges
The challenges of effective enforcement are not new to the nascent data privacy efforts in the U.S. They can be seen in Europe despite the relative maturity of the GDPR and what is arguably a high level of sophistication among the authorities charged with enforcing it. As an example, enforcement of the GDPR by the Irish Data Privacy Commission (DPC) – a DPA with its own enforcement structure, and perhaps a different enforcement attitude than that of other DPAs – has proven less than efficacious.
In an open letter from his nonprofit noyb (My Privacy is None of Your Business), Max Schrems complained bitterly about the Irish DPC’s alleged lack of resolve in three high-profile cases against Facebook, WhatsApp, and Instagram: While “the French CNIL was able to single-handedly issue a €50 million fine against Google within seven months…the DPC has only completed the first of six steps….” At that rate it “will easily take more than ten years until all appeals are decided and a final decision is reached.” noyb opines that “the GDPR is only as strong as its weakest DPA,” and calls for more cooperation (noyb, 2020).
Interestingly, in a hearing before the Joint Committee on Justice of the Irish Parliament, DPC Commissioner Helen Dixon “openly argued ‘In fact, there is no obligation on the DPC under the 2018 Act to produce a decision in the case of any complaint.’”
All of this may portend struggles well into the future for data privacy advocates here in the U.S. who look to the GDPR for inspiration. While energized by the albeit slow and frustrating advancement of privacy law at the state level (the WPA went 0 for 3 with the adjournment of the legislature on April 25, 2021), can you really have 50 state attorney general offices across the United States with the needed level of sophistication and resources to effectively enforce privacy laws as they’re written? More importantly perhaps is settling on what constitutes the most effective enforcement mechanism: a DPA, the AG, litigators? A hurdle that proved too much for Washington State, Florida, and continues to vex others.
Virginia
In contrast to the CPRA and the creation of the CPPA, the Virginia Consumer Data Protection Act (VCDPA) – which drew heavily on the proposed Washington Privacy Act (WPA) as well as the CCPA – keeps enforcement with the attorney general. The VCDPA provides no statutory authority, nor is there a right of private action. Furthermore, absent a significant enforcement budget the attorney general office’s ability to go after non-compliant organizations will be de minimis until it starts levying fines and getting settlements that can go into a fund to sustain it.
No private right of action and attorney general enforcement on a limited budget. That’s not going to be high on a business’ risk profile. Again, no risk: no real incentive for businesses to divert limited resources to compliance.
Florida and Washington
In the span of just two weeks in April 2021, the issue of enforcement doomed privacy bills in both Washington (a blue state) and Florida (a red state).
In Florida, the third most populous state with a not inconsiderable $1.1+ trillion economy (making it the seventeenth largest in the world), the Florida House and Senate both voted to pass bills – one containing a private right of action and the other that did not. Ultimately, that single issue prevented legislation from passing.
Similarly, in Washington, the Senate voted overwhelmingly (48-1) to pass a bill without a private right of action but the House refused to bring the bill to a floor vote, in large part because of that issue.
Taking a step back, in a country in which our political parties can agree on virtually nothing, it is remarkable to see the issue of enforcement creating intra-party strife and that both a blue state and red state were not able to reach accord on this issue despite a strong desire from all concerned to pass legislation.
The concerns regarding a private right of action are not unfounded. Since the CCPA went into effect dozens of civil lawsuits including class actions in state and federal courts have been filed, but this pales in comparison to the lawsuits citing the Illinois Biometric Information Privacy Act (BIPA) providing ample credence to business concerns over the private right of action.
Illinois
Enacted in 2008, BIPA actually saw few citations until recent years. This changed, in part, with the 2019 Illinois State Supreme Court ruling in Rosenbach v. Six Flags which held that individuals did not need to show harm other than that of being “aggrieved.”
There are now more than 750 class actions claiming BIPA violations.
This is precisely what companies fear with a full private right of action. Rather than addressing actual or threatened harm as elucidated in Article III, litigation is prosecuted solely for technical violations. Washington State attempted to mitigate the potential excesses by restricting awards to injunctive relief, but this proved insufficient.
The private right of action is not the only threat to business. The burden of regulatory compliance can be an insurmountable hurdle for startups and other small businesses, drain resources, and crush growth.
In fairness to privacy advocates, the absence of a private right of action could have the opposite effect – i.e., under-enforcement instead of over-enforcement. For privacy advocates, these bills are nothing more than paper tigers if they do not contain a strong enforcement mechanism that empowers ordinary consumers to go after companies to enforce the various privacy rights that are provided in the bills. More to the point, these bills must incentivize attorneys to take these cases in the hopes of representing classes of individuals and recovering attorneys’ fees and costs.
Managing this tension has been a concern of law makers and their method of addressing it raises fundamental issues.
Different Rights, Different Values, Different Risks
While data privacy efforts in the U.S. certainly take cues from the GDPR, the introduction of thresholds (involving company revenue, revenue from selling or sharing personal data, number of customers, and/or number of records) is a marked departure.[2] Exemptions are also given to universities and non-profits, to name a few.
This approach begs the question: How can the same data set held in the hands of a company that’s $50 million in annual gross revenue, have value but the same data set held in the hands of a company that’s $10 million does not? Why does data or the right to privacy have no value in the eyes of the law when held by a non-profit or university? It certainly has a great deal of value to them. With the GDPR, you’re all in. No business is exempt based on the types of thresholds that are being set in U.S. law. The value of data is the same irrespective of the size or revenue of the business controlling that data.
The issue, as we saw in Florida and Washington, is bipartisan concern about the burden data privacy legislation can place on smaller-sized businesses. (Perhaps this perspective is amplified by a hyper focus on tech giants like Facebook and Twitter.)
The current approach in the U.S. is to simply exempt thousands of small and medium businesses that collect, store, and use personal information from data privacy regulation. An approach that is inconsistent with breach notification requirements that do not exempt smaller companies.
The GDPR, rather than arbitrarily derogating the value of personal information controlled or processed by smaller businesses, derogates record keeping requirements (defined in Article 30) for those business with less than 250 employees. This alleviates some compliance burden for “SMEs” while still holding them to account and valuing personal and sensitive information consistently from both the business and consumer perspectives.
Challenges to Enforcement, Challenges for Business
Consumers are getting smart about data privacy. They are choosing who they spend their money with based on a company’s privacy profile and are becoming increasingly savvy about how to protect their privacy from the “surveillance marketing” ecosystem.
The good news for business is that respecting and safeguarding customer privacy is a winning approach. But an immediate concern is how to affect compliance in an ever-evolving regulatory landscape. Right now, it looks like chaos. This uncertainty represents risk to business, but bottom line: data privacy regulation and enforcement is going to be a moving target for some time. Business will need to be prepared to adopt.
The questions we get most from clients is “Is there a one size fits all solution to this? Is there something that I can do organizationally that will set me up for compliance with any statute that comes down the pike?”
While it is impossible to predict what is going to happen, if your product development and market strategy have incorporated data privacy, you will be in a good position to adapt to regulatory changes. A well-documented data privacy program that enables an organization to understand their data, and establish the appropriate consent mechanisms is fundamental. And, with the appropriate tools and automation, will provide the agility necessary for an organization to quickly modify data privacy policies and procedures to meet future compliance requirements.
[1] On March 17, 2021, California officials announced the “establishment of the five-member inaugural board”.
[2] California’s thresholds include $25 million annual revenue or 50,000 records under the CCPA going up to 100,000 records under the CPRA or 50% of annual revenue derived from selling or sharing consumers’ personal data. The Virginia CDPA thresholds of 100,000 records or at least 25,000 consumers and deriving over 50 percent of their gross revenue from the sale of personal data. (The same thresholds were proposed by the WPA).
David Stauss is a partner at Husch Blackwell LLP and leader of the firm’s privacy and data security practice group. David regularly assists clients in preparing for and responding to data security incidents, including managing multi-state breach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA) and state information security statutes. To stay up to date on these issues, subscribe to Husch Blackwell’s privacy blog. Stauss can be reached at david.stauss@huschblackwell.com.