The California Consumer Privacy Act (CCPA) is the most comprehensive privacy regulation at the US-state level, and has now been in effect for two months (since January 1, 2020). The CCPA has put pressure on some of the largest tech companies to re-evaluate how they handle personal information and gives consumers increased control over their own data. We’ve recently seen the first class-action lawsuits filed against Amazon’s Ring1, which will test the CCPA’s private right of action requirement.
Businesses continue to pour resources into meeting the CCPA’s opt-out of sale, consumer rights and other compliance requirements, however, the CCPA only protects the privacy rights of California residents. The CCPA also draws inspiration from the EU’s General Data Protection Regulation (GDPR), but lacks a key opt-in consent requirement that is a feature of EU and international privacy regimes.
Organizations need to be proactive with their privacy compliance activities as US and global privacy regulations continue to develop and harmonize in the future, especially with the introduction of a long-overdue US federal privacy law expected in 2020.
Finally, A US Federal Privacy Law?
Privacy issues and high-profile data breaches captured our attention in 2019, and consumers, policymakers and businesses alike are wondering when a comprehensive federal privacy law will be passed in the United States.
With the CCPA fully in force, many other states have already followed or are soon to follow with their own state privacy legislation. Nevada and Maine have already passed comprehensive privacy laws of their own, and there are currently up to 12 other states2 that have privacy bills introduced or in-committee.
In 2019, there was also a lot of talk of a US federal privacy law – driven by increased consumer awareness of privacy issues and the CCPA coming into effect. Currently there is still no comprehensive federal privacy law in force in the US, however, two notable federal privacy bills were introduced in the Senate at the end of 2019.
First is the Consumer Online Privacy Rights Act (COPRA) introduced by the Senate Democrats. On the other side of the aisle is the US Consumer Data Privacy Act of 2019 (CDPA) introduced by the Republicans. Both federal privacy proposals include many of the same privacy protections and will be enforced by the Federal Trade Commission (FTC). Some of the similarities include:
- Similarly to the GDPR, both COPRA and the CDPA will require affirmative opt-in consent from individuals before processing sensitive personal information;
- The requirements of transparent privacy policies, reasonable data security controls, and privacy impact assessments;
- Both proposals provide individual rights to access, correction, and deletion of data.
A key difference between the two proposals is that the CDPA would supercede any existing state privacy laws, while COPRA will keep state privacy laws in place if they have a higher standard for data protection. In addition, the COPRA bill allows for private right of action, while the CDPA does not.
The opt-in consent requirements seen in both federal privacy proposals are significant, and differs from primarily opt-out consent required under the CCPA and other US state privacy laws. Under both the COPRA and CDPA, affirmative opt-in consent is required for the processing of sensitive personal information such as health records or financial information. Opt-in consent is a feature of some of the most rigorous data privacy laws around the world such as the EU, and we can see that US privacy regulation is starting to move towards the direction of opt-in consent as well.
The US has lagged behind Europe and other developed nations in terms of privacy regulation and enforcement in the past decade. As privacy issues and data breaches continue to garner attention, consumers and businesses alike will be closely watching to see if a comprehensive privacy law can be passed in the US in 2020.
Global Privacy Insights
Looking internationally, we can expect GDPR enforcement fines to ramp up in 2020, along with privacy legislation being introduced in a number of countries across Asia and Latin America.
European data protection regulators spent much of 2019 investigating complaints and data practices, but in 2020, they are getting ready to issue heftier fines for data privacy violations, such as that seen with the UK ICO’s $230M fine on British Airways3. We’ll also see increased privacy legislative activity in the EU around the upcoming ePrivacy Regulation that will regulate all electronic communications beyond the traditional forms of personal data, including social media, cookies, and tracking pixels. The ePrivacy Regulation is expected to be finalized by the European Parliament some time in 2020.
Over in Brazil, the comprehensive GDPR-inspired privacy law Lei Geral de Proteção de Dados Pessoais (LGPD) comes into effect in March 2020, while privacy legislative activity continues in India with the Personal Data Protection Bill (PDPB). In Canada, there have even been consultations by the government to introduce regulations around the responsible use of AI4
Making Privacy a Differentiator
Privacy legislative activity is increasing in the US and around the world. Just about every individual in the developed world is now covered by some sort of privacy law and the stakes are higher than ever. Businesses need to continuously adapt to various privacy laws and data protection requirements to remain compliant and competitive in this globally connected world.
If your business has already made steps towards GDPR or CCPA compliance, you will be in a better place to anticipate future data protection requirements. Those that embrace these rapidly developing privacy trends as an opportunity to improve their privacy and security program can make privacy and data protection a business differentiator. Consumers and enterprise leaders alike want to better understand how their data is being used and shared, and see real value in having their personal data protected.
SD Elements allows companies to build privacy into their products from the start by generating a list of GDPR and CCPA data protection tasks to help guide developers through the software development lifecycle securely and with privacy in mind.
- >https://www.thompsoncoburn.com/insights/blogs/cybersecurity-bits-and-bytes/post/2020-02-24/class-action-case-against-ring-may-test-ccpa-s-private-right-of-action
- >https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law.pdf
- >https://techcrunch.com/2019/07/08/uks-ico-fines-british-airways-a-record-183m-over-gdpr-breach-that-leaked-data-from-500000-users/
- >https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/responsible-use-ai.html