With significant enforcement activity and new laws being enacted or proposed since the start of the year, regulators in the EU and the US, several US states, and the US Congress are showing they mean business in terms of data privacy.
To help companies best protect consumer data and remediate enforcement risks, we provide below an overview of the following:
- two noteworthy recent EU and US regulator enforcement actions;
- changes in the US state data privacy law landscape, including the proposal from the California Attorney General’s Office to expand enforcement authority and class action litigation under the California Consumer Privacy Act; and
- US Congress’ consideration of a first-ever comprehensive US federal privacy law.
EU and US regulators continue to increase the stakes for data privacy enforcement
On January 21, 2019, in one of the largest privacy fines announced globally, the French National Data Protection Commission (CNIL) imposed a €50 million penalty against a tech giant for violation of the General Data Protection Regulation (GDPR). This was followed by press reports in February that the US Federal Trade Commission (FTC) is currently negotiating a multi-billion dollar fine against a social media giant to settle the agency’s investigation into its privacy practices. To date, the largest fine the FTC had imposed on a tech giant for breaking an agreement with the government to safeguard consumers’ data was a US$22.5 million penalty settlement in 2012.
Specifically, the CNIL’s enforcement action focused on the GDPR’s transparency and consent requirements and provides useful tips for companies that are looking for guidance on how to design privacy policies and consent tick boxes (click here for our earlier coverage of the multi-million Euro GDPR fine and key takeaways).
The FTC’s investigation started in the immediate aftermath of the Cambridge Analytica scandal, which focused on the controls a company must have on how its data is shared with and used by third parties. The complete scope of the investigation, however, has not been released yet but will likely include a broader review of the company’s data processing methods and practices, including how the company uses the data it collects from its members.
These CNIL and FTC actions signal that data privacy enforcement risk is now among one of the top risks a company must consider as part of its enterprise risk management framework.
The CCPA and CCPA-copycat laws in the US could bring higher scrutiny to privacy violations in the US
Several US states, following the GDPR’s passage last May, are proposing their own data protection laws that provide certain GDPR-like consumer rights. However, the US states’ approach has key differences noteworthy for businesses operating in the US.
The California Consumer Privacy Act (CCPA), passed in June 2018 in response to the Cambridge Analytica scandal, is slated to become the most comprehensive data privacy law in the US. The Act goes into effect on January 1, 2020 and like the GDPR, provides certain rights to consumers, including the “Right to Know,” “Right to Access,” “Right to Opt-Out” and “Right to Deletion.” Additionally, the CCPA greatly expands the definition of personal information so how these rights will be applied in practice requires significant changes to be made in how companies operate. The Act, unlike any other previously-enacted data protection law, also requires an opt-out link on the companies’ website, to allow consumers to opt out of data sharing to third parties. The Act permits a private right of action in the case of data breaches and allows for administrative penalties to be imposed by the California Attorney General of up to $7,500 per violation with no maximum cap (click here for coverage of the CCPA’s key requirements).
Companies now have less than a year to put compliance programs in place for the CCPA, and yet the California legislature is continuing with its efforts to amend the law, adding to increased uncertainty for businesses. On February 22, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced legislation to strengthen and clarify the CCPA. Among other things, the bill would: (1) no longer require the Office of the Attorney General to provide businesses and private parties individual CCPA-compliance advice; (2) remove language that would have previously allowed companies to cure CCPA violations prior to the AG bringing an enforcement action; and (3) provide consumers a private right of action to seek remedies for any violations of their CCPA rights, not just limited to data breaches. If this proposal were to be adopted, it would further expand the AG’s ability to bring enforcement actions and significantly increase class action litigation in California.
Not to be outdone by California, eleven (11) states—including Maryland, New Jersey and Washington—have recently introduced similar legislation. Among other things, the bills include their own versions of opt-out rights and require new disclosure requirements that are slightly different than the GDPR and CCPA. If enacted, these laws would result in significant costs for businesses as they try to understand and put in place a privacy framework that would comply with this patchwork of US and non-US laws that often have overlapping and conflicting requirements. In fact, the level of complexity and uncertainty posed by these various changes in the legal landscape is leading businesses to call on the US Congress to step in and implement national comprehensive data privacy legislation.
The US Congress’s response to regulator and state data privacy activity
In response to increased enforcement action and US state activity, the 116th US Congress has introduced several data privacy bills to implement a federal data privacy standard in the US. For example, the American Data Dissemination Act (S. 142) would “impose privacy requirements on providers of internet services similar to the requirements imposed on Federal agencies under the Privacy Act of 1974”. The Social Media Privacy Protection and Consumer Rights Act of 2019 (S. 189), among other things, would require covered entities to “(1) offer a user a copy of the personal data of the user that the operator has processed, free of charge, and in an electronic format; and (2) notify a user within 72 hours of becoming aware that the user’s data has been transmitted in violation of the security platform.”
Indeed, even the US Government Accountability Office – a federal legislative agency that provides the Congress auditing, evaluation, and investigative services – recommends that the US Congress pass federal data privacy legislation, stating that “[r]ecent developments regarding Internet privacy suggest that this is an appropriate time for Congress to consider comprehensive Internet privacy legislation.”
If the US Congress passes federal data privacy legislation, it would represent a first-ever federal privacy standard, with the promise of uniformity and consistency in what would otherwise be a patchwork of state laws and regulatory standards.
This week, the House Energy and Commerce Committee and the Senate Commerce Committee are holding hearings on what key issues the federal privacy legislation should seek to address. We will provide an update covering the two committee hearings here.
Recent enforcement actions by the EU and US regulators and active legislative changes at the state and federal level in the US mean data privacy risks should be one of the top risks managed by companies as part of the enterprise risk management framework. Because the GDPR, CCPA, and other state and US legislative proposals each introduce new and different requirements on the collecting, processing, sharing, and maintaining of personal data, companies should conduct gap assessments at least annually to identify any business activities that are in non-compliance or pose a high risk to the company.
As a result of specific requirements under the CCPA, for example, businesses that have either employees or customers in California should consider adding the following to their compliance project plans for 2019:
- review, revise, and deliver training for a new Employee Privacy Notice that complies with the CCPA;
- draft and roll out new processes and train key internal teams that would intake and respond to privacy inquiries and complaints;
- review and test incident response plans that prepare the organization to respond effectively in the case of a data breach; and
- review and roll out Master Service Agreements with restrictions for data use by service providers that are required under the CCPA.
 U.S. GAO Report: INTERNET PRIVACY: Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility, GAO-19-52: Published: Jan 15, 2019. Publicly Released: Feb 13, 2019.