Privacy Law Update: October 3, 2022
U.S. President Joe Biden is expected to publish an executive order concerning a new agreement on EU-U.S. data flows as early as Oct. 3, Politico reports. According to individuals involved in negotiations, the order will cover new legal protections over personal data access and use by U.S. national security entities. Principles for necessity and proportionality in relation to government surveillance activities are included in the order. Once the order is published, the European Commission will begin a ratification process that could take as long as six months to complete.
If we’re to be more proactive in identifying and preventing privacy and security risks, CPOs and CISOs must work together now more than ever. Security teams can’t protect personally identifiable information (PII) like names, Social Security numbers, home address, phone numbers and personal email addresses if they don’t understand what and where the information is; and privacy teams can’t exist in a company without the security controls in place to protect PII.
Continuing its push as the nation’s first-mover on privacy, California has passed a bill that will require potentially significant new privacy commitments from online services that are “likely to be accessed” by children under 18. Covered companies have until July 2024, when the law takes effect, to assess their practices and come into compliance. In addition, implementing regulations due in January 2024 will give specifics on compliance.
In an op-ed for The San Francisco Chronicle, California Privacy Protection Agency Board Chair Jennifer Urban reiterated the agency’s position on how the proposed American Data Privacy and Protection Act would “undermine” Californians’ privacy rights and businesses’ “ability to confidently invest in more privacy-protective practices.” Urban said companies “may be understandably confused about how to invest if Congress overturns this existing guidance” under the California Consumer Privacy Act. She also noted how federal preemption would discontinue states’ ability to “experiment more nimbly” with legislation and react to emerging trends.
Data privacy isn’t just about compliance – it’s turning into a marketing and operational advantage for many businesses. Data privacy can give businesses a competitive advantage. Staying GDPR compliant gives companies an advantage over rivals as they are beginning to forge more trusting customer relationships which they fully expect will deepen loyalty and drive up the bottom line, the General Data Protection Regulation (GDPR) is a challenge, but strong data privacy opens up the opportunity for strong advantage over the competition, such as improved customer loyalty and more efficient operations. The negative headlines around GDPR — such as Amazon‘s fine earlier this year, the largest issued of its kind to date — can encourage businesses to see compliance as a burden. The truth is, it can be an opportunity to win and retain new customers if you can turn respect for consent and protection of privacy into competitive differentiators.
California: On Friday, September 23, the California Privacy Protection Agency held a board meeting to discuss various administrative and rulemaking topics. As expected, there was no announcement on delaying either the CPRA’s enforcement or effective dates; however, Board Member Le suggested that (1) the Agency could request from the legislature the ability to provide more direct guidance to businesses (without running afoul of restrictions on ‘underground rulemaking’), or (2) the Agency could promulgate a regulation expressly recognizing that a delay in finalizing the regulations is a “factor that the Agency may consider” when deciding whether to initiate an enforcement action or offer an opportunity to cure. [Note that the California legislature is currently out of session]
There was also significant discussion of the rulemaking process, particularly the procedural complications and hurdles that will be raised in the interaction of both the California APA and the Bagley-Keene Open Meeting Act. Executive Director Soltani urged the board to give a strong signal on the timeframe for meetings to advance the draft regulations, mentioning October and November (suggesting to us that the Agency may still hope to finalize initial draft regulations by end of year). Soltani further stated that staff is “burning the candle at both ends” working on the rules and that “there will likely be quite a number of changes [to the draft regs] in response to comments.”
The CPPA has also posted the public comments that it received in response to its initial draft implementing regulations. There are 102 total comments spanning well over 1,000 pages.
Michigan: On Tuesday, September 27, Senator Bayer (D) and 8 Democratic co-sponsors introduced SB 1182, the “Personal Data Privacy Act.” While this comprehensive privacy bill generally follows the ‘Virginia-model’, it includes a data broker registry and provides for a private right of action that, similar to ADPPA, would require prior written notice to the party alleged to be in violation. While the bill is unlikely to move this late in the session of a Republican controlled chamber, we are interested to see whether it represents a new trend of state privacy proposals incorporating elements from ADPPA.
New York State: On Friday September 23, Senator Gounardes (D) introduced S9563, “The New York Child Data Privacy and Protection Act”. While the Act contains some similarities to the recently enacted California Age Appropriate Design Code, it would go much further in numerous respects, including:
- Not requiring age estimation, but instead applying to all “online products” targeted towards (accessible to and used by) child users.
- Requiring an expansive risk assessment for any new online product (including services, features, or platforms) be submitted to, and approved by, the state AG before the product can be made available to consumers.
- Empowering a new AG Bureau to ban autoplay videos, in-app purchases, push notifications, prompts, or other features for particular products that it chooses
- Requiring online products to prioritize civil and criminal subpoenas and criminal warrants when a child user has been a victim of a crime.
- Creating a private right of action.