A Watershed Moment for U.S. Privacy Law?

The recent passage of California’s Consumer Privacy Act marks a potential shift in privacy law in the United States.  As it stands, the law will have a sweeping effect on businesses nationwide, imposing obligations and restrictions on certain organizations collecting personal information of California residents.

California’s new law, the California Consumer Privacy Act of 2018 is a rigorous privacy law modeled, in part, on the European Union’s General Data Protection Regulation (GDPR).  The law grants new privacy rights to California consumers, and in doing so, introduces greater obligations for companies.  Notably, the law creates a private right of action for California residents in the case of a security breach.  The California law was fast-tracked to avoid a possible ballot initiative and, as such, California lawmakers have indicated that clean-up legislation could be passed before it becomes effective in 2020.  In addition, a rulemaking by the Attorney General is expected before the effective date.  More details on California’s digital privacy law can be found here. 

While the California law has garnered considerable attention, it is not the only one of its kind.  Other recent state laws and initiatives restrict the types of information that businesses can collect and share, creating new privacy obligations for businesses.  For example, Vermont passed the first state law regulating data brokers, that is, aggregators of personal information.  In May 2018, Vermont’s legislature passed H.764, which requires brokers to make annual disclosures related to the companies’ data collection and storage practices and the sale of consumer information.  Beyond new transparency and privacy elements, the law also requires comprehensive information security programs and disclosure of data breaches to the state.  Vermont’s law becomes effective in 2019.  Several other states are currently considering privacy measures.

Meanwhile, there are major privacy initiatives and discussions being undertaken at the federal level, as well.  For example, the Federal Trade Commission (FTC) launched a proceeding on Competition and Consumer Protection in the 21st Century, reviewing its policy and enforcement priorities in light of 21st Century developments, including new technologies.  Privacy is a major focus.  Additionally, the National Institute of Standards and Technology (NIST) announced that it will develop a broad privacy framework, equivalent to NIST’s Cybersecurity Framework.  It expects to release a Request for Information in the near future.  And, of course, there are international privacy regimes, such as the GDPR, whose long reach impacts businesses here in the United States.   

The emergence of these various privacy regimes—from a patchwork of state-based privacy laws to various efforts at the federal level and internationally—have and will continue to impact US businesses.  Companies that store, access, share, or otherwise handle consumer information will need to address a series of issues.  For example, how will organizations navigate complex and overlapping compliance and reporting structures?  If rights differ from state-to-state (or country-to-country), will companies provide additional rights, where not required?  Will federal lawmakers see a need to address data privacy or breach notification issues in a uniform way at the national level? 

Organizations and companies, whose products or services rely on connected-devices and user data should closely monitor these developments, as recent legislation and government-led privacy initiatives raise the possibility of a privacy framework in the United States.