Go to the gym. Eat less sugar. No booze for January. Pass privacy legislation.
As legislatures across the country opened for new sessions in January, it was evident that many representatives had added "expand individual privacy rights" to their list of resolutions.
Here are five things that we’ll be watching closely in 2020:
1. What happens next in California?
The California Consumer Privacy Act (CCPA) went into effect when the clock struck midnight on January 1, 2020, bringing about a seismic shift in privacy rules in the United States. But the aftershocks continue, and the rules will likely continue to shift for companies doing business in the state in 2020.
California Attorney General Xavier Becerra is required to finalize the draft CCPA regulations released in October by July 1, 2020. Becerra’s office will be able to bring actions to enforce the CCPA in July of this year.
The new year could also bring further changes to the CCPA. Alastair Mactaggart, the CCPA’s architect, is once again proposing a ballot initiative, this one called the California Privacy Rights and Enforcement Act (CPREA). The bill would expand disclosure obligations and collection and use restrictions for all businesses, as well as require large data processors to conduct cybersecurity audits and risk assessments.
If Mactaggart gathers the required number of signatures (just over 623,000) and the Secretary of State verifies them by June 25, the initiative will go on the November ballot. Whether privacy law is created by the state legislature or ballot initiative matters greatly; a law enacted as a ballot initiative cannot be amended by the legislature unless the initiative includes such a provision.
California lawmakers are also likely to take up the issues of employee privacy and privacy in business-to-business interactions. Exemptions for data collected and used in these contexts in the current CCPA are set to expire at the end of 2020, creating pressure for permanent rules that take into account the unique nature of this data.
Finally, California’s data broker registration statute also went into effect at the beginning of the year. This law requires data brokers—companies that sell the personal information of Californians with whom they do not have a direct business relationship—to publicly register with the Attorney General by January 31 each year.
2. Will other states follow California's lead?
Organizations could barely click "save" on their updated privacy policies before news broke that Washington state was considering its own new comprehensive consumer privacy law. Copycat CCPA laws were introduced in seven other states this month, as discussed here. While it is difficult to predict the likelihood that any one of these bills will become law, their sheer number and the significant public interest in data privacy issues means it is likely that the California will not be alone for long in regulating in this area.
It is possible that companies will soon have to reckon with the dreaded "patchwork" of state-by-state obligations placed on them. Some new state laws propose to go beyond disclosure and restriction of "sale" obligations of the CCPA and place internal restrictions on data use, including requirements to conduct data protection assessments across the organization. Legislators also continue to grapple with the question of how to enforce privacy legislation, with several draft bills proposing private rights of action.
Congress has seen no shortage of consumer privacy bills introduced or circulated for discussion in the last few years. However, none have gained significant traction due to disagreement over key issues such as preemption of state laws and a private right of action, and no resolution appears imminent.
3. How are legislators looking to regulate privacy, beyond creating consumer rights?
In addition to laws that create broad consumer rights, legislators are likely to pursue privacy legislation targeted at particular data types and data uses. Multiple bills to amend the Children’s Online Privacy Protection Act (COPPA) have already been introduced in the 116th Congress. The FTC is taking public comment on potential changes to the COPPA regulations, on the back of significant action against Google and YouTube.
Similarly, both state and federal legislators have discussed education-specific data privacy laws that amend or supplement the federal Family Educational Rights and Privacy Act.
State legislatures in recent years have also shown an increased appetite for regulating data brokers. Data brokers are generally defined as companies that buy and/or sell people’s personal information and do not have a direct relationship with the data subject. New rules could require such businesses to publicly register with the state, limit the data they collect or sell, or provide some form of notice to individuals whose data they traffic in.
Other privacy issues of concern to lawmakers include the use of artificial intelligence to decide what level of services to offer specific consumers, facial recognition based on publicly shared photographs or footage from cameras in public spaces, and "emotion detection technology" that that attempts to identify how people feel based on their facial expressions, and "sentiment analysis" to identify emotions expressed in spoken and written words.
4. Will legislation regulate internal data use?
The CCPA does not place any limit on how an organization can use data for its own business operations—only with whom it may share such data (so long as the organization’s uses are appropriately disclosed). This means that privacy rights in California—and potentially other states debating copycat CCPA bills—are limited to those consumers who have the wherewithal to choose to exercise their rights. Legislators in other states, however, are starting to look at the harms caused by internal use of data.
The Washington Privacy Act and Virginia Privacy Act drafts would require organizations to justify their internal data uses and require consent for processing of sensitive data. Legislators are also attempting to regulate the use of large sets of data in automated processing, including for targeted advertising and business decision-making.
Such rules would create new operational challenges for organizations, as proposed rules would force them to self-regulate their engagement in activities that allegedly produce consumer harms but provide little guidance as to what constitutes consumer harm.
5. How will new bills seek to regulate advertising?
The CCPA does not directly regulate the use of data for targeted advertising unless such use involves a sale. As such, many organizations in the AdTech space went to significant efforts in 2019 trying to figure out how to structure data ecosystem activities so that targeted ads could be delivered without "sales"—for example, through setting up service provider relationships or causing opt-outs to trigger restrictions in process.
However, the proposed privacy laws in Washington and Virginia would force businesses and thus AdTech generally, to implement consumer opt-outs any time targeted advertising is delivered, not just when sales of data occur.
Washington and other states are also considering data broker laws that would require companies that acquire and sell data but do not have a direct relationship with consumers to register with the state and implement reasonable security to protect consumer data. Such bills may not result in any changes in the delivery of ads but do stand to increase transparency in the industry, which may result in increased consumer demand for options.