One topic likely to continue to dominate in 2019 is how businesses can stay on top of data privacy regulations. By the time the European Union’s General Data Protection Regulation went into effect in May, savvy international companies had already been preparing for months. And with major regulations going into effect in California next year, companies will need to start new preparations and keep an eye out for other laws that get passed in state legislatures around the country.
Many state legislatures in 2018 passed their own cybersecurity or data privacy regulations for businesses, if they hadn’t already. Vermont was the first state to set regulations for “data brokers” — those companies that trade in personal information — and set reporting and security guidelines for them. Colorado made headlines for joining the top echelon of states in consumer protection regulations by setting short reporting deadlines for breaches involving personal information. And while some states, such as Alabama, enacted their very first data privacy laws, California passed a nation-leading consumer protection law that could trigger a new wave of regulations across the country.
The federal government has yet to take on the issue of creating unifying national regulations, which facilitates the “Red Queen race” in states leapfrogging one another to set standards on data privacy.
Where this trend continues in 2019 is anyone’s guess.
FEDERAL QUESTIONS
Many might wonder whether the impact of the EU’s GDPR on international corporate compliance will lead the federal government to pass its own regulations in the coming months. Some bills have already been introduced on the issue — ranging from sweeping measures, like Oregon Sen. Ron Wyden’s proposal to put the Federal Trade Commission in charge of setting standards, to Georgia Rep. Hank Johnson’s bill to require app developers to get consent for data collection. But data privacy laws are most likely low on the priority list in Congress.
“There are two issues,” said David Stauss, a partner at the Denver office of Ballard Spahr and head of the cybersecurity and data privacy practice group in the Denver and Boulder offices. “Does it happen at all, given the state of the federal government and its inability to get much done; and second will be whether legislation will create a floor or a ceiling.” Stauss said federal bills are creating a tug-of-war between businesses and privacy advocates pulling lawmakers in opposite directions.
Congress has demonstrated an interest in data privacy, as evidenced by Mark Zuckerberg’s appearance before Congress to discuss Facebook’s data privacy in relation to the Cambridge Analytica scandal. Although the event showed Congress is prepared to take on the issue of regulating data privacy, that same event could indicate that lawmakers in Washington, D.C., aren’t yet equipped to pass sweeping regulations. Following Zuckerberg’s appearance, jokes spread throughout social media about the senators’ questions regarding how Facebook is monetized, whether Zuckerberg’s dorm room experiment Facemash was still live and whether Facebook was the same as Twitter.
AS GOES CALIFORNIA …
Although Zuckerberg’s congressional testimony didn’t yet spark any changes, the presence of tech companies at the center of the data privacy issue does have an impact on state regulations. California, the home of the usual suspects of the privacy world — Google, Facebook and Twitter — passed regulations last year that are likely to make an impact on the U.S. in much the same way the GDPR did. California’s regulations might be of more interest to domestic companies, though, since they will likely lead the way for other state laws.
The California Consumer Privacy Act will go into effect Jan. 1, 2020. That law gives consumers rights to require companies to delete their data, request what data is being collected and how it is used, and to opt out of allowing businesses to sell their personal data to other entities.
And just as the GDPR was maybe the marquee business regulation for 2018, compliance with the CCPA will be a major business issue in 2019.
“Clients will have to deal with this just like GDPR,” Stauss said. “A lot of Colorado entities and entities across the nation will have to push compliance in order to avoid getting into a tight spot with that law. … I’m anticipating California will be the first of potentially multiple states in enacting consumer privacy statutes.” Stauss said California’s law might also be the push the federal government needs to pass a bill.
Although business entities that collect consumer data have an interest in getting more lax regulations passed, they might be more amenable to federal regulations simply to make compliance easier. “If other states jump into this and there’s a 50-state solution to privacy, [businesses] have to comply with 50 different state laws,” Stauss said. “It’s hard to comprehend, but it’s gotten business interests to the table.”
STATES TO WATCH
Given that it’s still January and states are just convening their legislatures for the year, it’s tough to predict what states might end up making changes in 2019. Some states have come close to passing new regulations last year, but that isn’t a guarantee those bills will be revived this year. New York and Texas have interest groups that could push for GDPR-like regulations in their states, Stauss said, but as of yet, there’s nothing to report.
And Colorado, fresh off passing cybersecurity regulations in 2018, does not yet have any proposals of going further with data privacy regulations. Stauss said he doesn’t think legislators “have an appetite” for new regulations.
Also making it difficult to read the future for other states, there aren’t any clear leaders for new regulations. “State stuff can pop up out of nowhere,” Stauss said. Every state government will say it favors consumer protection, and all it takes is one bad incident to spark change. “If you get a legislature that gets invested in these issues or has a data breach or takes offense to what Facebook is doing, they’ll just pop up and move forward,” Stauss said.
The only thing Stauss said will happen for sure is something.
“On this issue of privacy at either the state or federal level, we’ll see a lot of movement,” he said. “I can’t tell you what it’s going to look like, but it will be a different landscape.”
— Tony Flesor