With all 50 states now having their own data breach notification laws, there’s a patchwork of legislation for companies to comply with. And not every state has a data privacy protection law, but the majority do or have bills pending.
Attorneys and companies continue to wrestle with obligations under the laws. Statutes can’t possibly predict every iteration of security or privacy crises that could come up, so there will be continuing scrutiny on how their small but significant words and phrases — “unauthorized acquisition” and “reasonable” security measures — get interpreted.
Davis Graham & Stubbs held a panel May 15 to update attorneys on the patchwork of state cybersecurity and data privacy laws, including Colorado’s own cybersecurity statute that went into effect last September. Moderated by partner Trent Martinet, the panelists included of counsel Camila Tobón and associates Adrienne Kovac and Alex Paalborg. They also talked about recent ill-fated legislative efforts in other states and rumblings at the federal level.
Tobón, head of DGS’s privacy and data security group, told Law Week one area with continuing interpretation is defining “unauthorized” acquisition and use of data, and how breach and data privacy laws both touch on the concept.
Tobón said instances when companies share consumer data with third parties but don’t disclose why they’re sharing it is one legal gray area within data security law.
“Is it a violation of their policy just because they shared it? Should they have told consumers about the reasons why they’re sharing it? Probably, but it’s more of a gray area,” she said.
She added U.S. laws — with the exception of California to a limited extent — don’t tend to address boundaries around secondary data uses, which would likely fall more under the purview of data privacy laws —say, when companies collect consumer data for one purpose and then wish to use it for another purpose afterward. The Federal Trade Commission provides some guidance on how words and phrases in statutes get interpreted, especially the meaning of “reasonable” security measures. It has entered consent decrees with companies when it determined their security precautions weren’t adequate.
The high points of Colorado’s breach notification law include the types of personal information covered, the notification time window requirement, the requirement for companies to develop reasonable data protection measures, and how they have to approach disposing of data they don’t need anymore. The state’s 30-day notification window for data breaches is among the shorter timeframes between 50 states.
California’s Consumer Privacy Act will go into effect January 2020, and it remains the most comprehensive data privacy statute passed in the U.S. Among its provisions are compliance requirements for companies that do business in California and sales of state residents’ personal information. Among the penalties are a hefty $7,500 per intentional violation and a statutory cause of action up to $750 per consumer per incident.
Congress has yet to pass breach notification and data privacy laws, but not for a lack of debate.
Paalborg said some of the most talked-about privacy proposals, mostly brought by Democratic Senators, address an array of topics such as companies’ fiduciary duties, consumer opt-in and opt-out structures and penalties. If federal laws do eventually pass, preemption over state laws is one question to address.
Notably, two proposals brought by Massachusetts Sen. Edward Markey and Intel Corporation focus on business behavior rather than on consumer choice.
“Markey was of the opinion that instead of having these long privacy policy and consent forms that no one really reads, it may be more effective to actually limit certain uses” of personal data, Paalborg said.
“You’re seeing this shift away from traditional notice and consent to more focus on business conduct and use limitations.”
Tobón told Law Week scrutiny has increased on what it really means for consumers to consent to the collection and use of their personal information, especially considering how quickly technology evolves. In practice, some gray areas of consent can include automatically checked opt-in terms and conditions boxes that consumers have to manually uncheck to opt out, or the user agreements themselves if they’re so long and esoteric that it may not be reasonable to expect consumers to read them.
“It’s two questions, really. One, are consumers really consenting? And number two, do they really know what they’re consenting to?” Tobón said.
In January, Intel put out a second draft of its Innovative and Ethical Data Use Act.
Paalborg said one key part of the draft bill is its federal preemption over state laws. However, Intel wasn’t seeking legislative sponsors to actually introduce the bill.
Paalborg said one particular obstacle to a federal data privacy law having preemption over state is the fact that California Democrats comprise about 10 percent of the House.
The state’s Consumer Privacy Act is comprehensive, and its lawmakers likely would push back against preemption by a federal law they see as less strong. Paalborg added he believes it’s unlikely a federal data privacy law will pass before the 2020 election.
“I could be wrong,” he said, adding to audience laughter. “I’ve been wrong about many political predictions.”
—Julia Cardi