As we approach the end of a momentous 2019 we take a look at five privacy issues for the coming New Year. For those among our readership in the United States, the California Consumer Privacy Act (CCPA) would likely occupy the top slot, primarily due to the confusion over the law’s regulations and requirements.
Still with the U.S. there’s the ever-elusive federal privacy legislation, FTC actions, and the involvement of state attorneys general in privacy enforcement.
Over in Europe we have the General Data Protection Regulation (GDPR) which, during its first year of enforcement, has cost multiple millions in fines for companies found to be in violation.
As data privacy practitioners, we have witnessed many changes in the privacy and data protection landscape. And, as we enter a new decade, 2020 is already looking to be on course for more of the same, as we anticipate a sequence of significant developments and challenges in the 12 months ahead.
So, what data privacy challenges can we expect to face in 2020?
#1: The EU, GDPR and Brexit
The GDPR has served as a helpful model for several state-level privacy laws across the U.S. – particularly in the case of California’s CCPA, which is considered to be heavily influenced by the EU legislation. Consequently, it’s our view that U.S. companies with business interests in Europe, that have already been through the GDPR compliance process, should experience fewer challenges achieving compliance with the CCPA.
But, much to the consternation of covered businesses in Europe and beyond, the GDPR was never destined to be a one-off piece of privacy legislation. Many companies approached GDPR compliance as if it was like passing a driving test. And like so many new drivers, we start off with all good intentions, but slowly revert to bad habits over time, failing to observe the rules and responsibilities that govern road safety.
A fellow privacy practitioner recently said “GDPR requires a lifestyle change”. Building robust privacy principles into your daily business processes, so it becomes a habit, whereby you don’t even think about whether to do it because it has become part of what you do.
However, most businesses are not even close to making that “lifestyle change”. Even those whose best efforts have put them in fairly good shape still have a long way to go before the GDPR is fully integrated into their business processes.
As the GDPR evolves and more enforcements take hold, covered businesses will have to grapple with the operational challenges of implementing GDPR in order to demonstrate an ongoing commitment to compliance. And with GDPR v2.0 looming large, this privacy law is not going to go away.
On top of all this is the ongoing ‘Battle of Brexit’. To say that the UK is in a state of uncertainty is a gross understatement —and there are bigger problems ahead than just data privacy. Switching over to a new set of laws governing privacy for UK residents, whilst also continuing to comply with the GDPR where EU citizens are concerned, is likely to cause mass confusion for data privacy. There is also the potential disruption of data transfer mechanisms between the EU, the UK, and the U.S. to consider.
#2: California and the CCPA
It is quite clear that understanding and implementing California’s Consumer Privacy Act (CCPA) in 2020 represents significant challenges for businesses across every sector. Having assisted a number of mid-market corporations, including Fortune 500 companies, with business interests in California, we are anticipating an impact that equals that of the GDPR back in May, 2018. The main difference is the comparatively shorter time frame that covered companies have to work with, plus an even more complicated set of legal requirements.
Whatever your opinions concerning the basic structure and content of the legislation, the language used in the current version of the CCPA is widely considered to be confusing in the extreme.
One U.S. law firm recently commented that due to the intersections of the law’s provisions across data flows, it is now imperative that companies prepare early, in order to address “complicated issues with business partners up and down the line”.
Just like the GDPR, CCPA 2.0 is also on the horizon —and the very fact that amended and new regulations are yet to be finalised, ultimate compliance will be no mean feat.
#3: The Federal Trade Commission
The Federal Trade Commission (FTC) is still viewed by many to be the principal data privacy regulator. However, the vast majority of the FTC’s actions have been concentrated not so much privacy, but on data security issues. Earlier this year, the department has been getting tough on companies that have fallen foul of data breaches, with earth-shattering fines.
A variety of new investigative proceedings are also in progress, causing privacy practitioners and covered companies alike to sit up and take notice of the FTC’s every move, while at the same time, it is evident that the FTC has been hampered to a certain extent by its own primary enforcement tool —which generally does not provide the means for imposing fines in the first instance.
It’s seems pretty clear that the FTC is looking for ways to up its game on data privacy enforcement.
#4: Federal Legislation – ‘The Elusive Butterfly’ of National Privacy Law
Federal Privacy Law. Hmm, not much to say here. This potential ‘slap-in-the-face for state-level privacy has been an ongoing debate for almost 20 years. And there’s still no sign of any meaningful progress any time soon. That said, many believe that the combined effect of the GDPR, California’s CCPA, plus a wide assortment of privacy violations and data security scandals involving big tech corporations are making a nationalized privacy law increasingly likely.
While all this is going on (or not going on) deepening concerns over the current state of play in Congress, together with a tempestuous presidential election year, clearly indicate extremely unlikely odds of a federal privacy law finally make an appearance in 2020.
Now, we at The Data Privacy Group are in no way professional tipsters, but it’s our guess that more states are likely to follow in California’s footsteps, even if they embellish with their own regulations that don’t keep track with the CCPA. All it will take is for half a dozen states passing their own privacy laws in 2020 for national privacy legislation to be more likely to be passed, albeit not before 2021.
#5: Involvement of State Attorneys General
Currently, almost every state Attorney General shares the same essential consumer protection authority as the Federal Trade Commission. However, state AGs are not inhibited by some of the procedural limitations that hamper the FTC.
During 2019, state AGs started to flex their muscles, by asserting their authority, both as individuals as well as a collective. Coordinated cases, such as the New York-led antitrust probe into Facebook, when New York State Attorney General Letitia James announces that 47 attorneys general from states and U.S. territories planned to take part in a multi state investigation last September.
We will certainly be watching next year, to see if such collaborative enforcement continues to grow —and whether state AGs involve themselves in privacy governance only where corporations have engaged in actions that contravene privacy laws, or whether the AGs become more politically motivated in their ongoing efforts.
As data privacy practitioners, we already know that we will have our work cut out for ourselves in 2020. Already we are seeing greater challenges on the horizon for businesses across the globe, together with growing concerns over privacy enforcement on an international scale.
Companies around the world and across all industries who collect, process and disclose personal data to support their business operations will face greater risks, if they want to also enjoy the opportunities and benefits of doing business in our connected world.