Keypoint: 2020 promises to be another ground-breaking year in privacy and cybersecurity law in the United States.
2019 was an exciting year in privacy and cybersecurity law. In the United States, the California Consumer Privacy Act (CCPA) was the most significant story, but there also were developments in states such as New York and Nevada. Numerous other states also considered consumer privacy legislation, and federal lawmakers even jumped into the fray, proposing a variety of bills and regulations. Overseas, GDPR garnered the most headlines of course, but other countries, such as Brazil, also made news.
But 2019 was just the start. There is no doubt that privacy and cybersecurity law is undergoing a fundamental change in the United States. If nothing else, the legal landscape of privacy law in the United States promises to look very different by the end of the year.
Below we discuss what we anticipate will be the biggest stories in 2020 and beyond.
State Privacy Law
The CCPA went into effect on January 1, 2020, which means that businesses subject to the CCPA will start receiving and responding to consumer requests. Complicating that process is the fact that the California Attorney General’s office still must publish its final interpretative regulations. It published draft regulations in October 2019 and held public hearings in December 2019. The extent to which the final regulations differ from the draft regulations could substantially impact compliance efforts.
The AG office’s enforcement authority will kick in on July 1, 2020. The manner in which the AG chooses to exercise its enforcement authority will no doubt substantially impact compliance strategies and potentially clarify ambiguous aspects of the law.
Lawmakers also will need to continue working on the statute in 2020. For example, the employee and business-to-business exemptions are set to expire at the end of 2020. Those efforts will be complicated by a new ballot measured that seeks to strengthen the law (see below).
CCPA Class Action Litigation
Although the CCPA’s privacy-related rights have deservedly garnered significant attention, the CCPA’s provision allowing for statutory damages for data breaches promises to be just as significant. As of January 1, businesses that suffer data breaches can be sued by California residents for statutory damages of between $100 and $750 per consumer, per incident. That provision will undoubtedly lead to a proliferation of class action lawsuits in 2020 and beyond.
Developer and CCPA co-creator, Alastair Mactaggart, is once again gathering votes to get a new privacy initiative – the California Privacy Rights and Enforcement Act – on California’s November 2020 ballot. The new initiative, dubbed “CCPA 2.0,” imposes limitations on data retention and businesses’ use of “sensitive personal information” (such as sexual orientation, biometric, health and financial information), adds the right to correction, and triples the maximum penalties for privacy violations of children under 16, among other potential revisions to the CCPA. Additionally, the business-to-business and employee-related exemptions set to sunset in 2021 would be permanent carveouts under CCPA 2.0.
Perhaps most notable is that CCPA 2.0 would establish a separate government agency to implement consumer privacy laws and monitor compliance, similar to enforcement powers under European data protection laws. Having a state agency dedicated to enforcing state privacy laws would undoubtedly increase the risk of noncompliance.
The official title and summary of the proposed initiative was circulated by the California Attorney General’s office on December 17, 2019. Mactaggart has until late April to submit the requisite 623,212 verified signatures. Assuming enough signatures are gathered, the deadline by which the Secretary of State must certify initiatives for the November ballot, and by which Mactaggart may withdraw the initiative, is June 25, 2020. Given this timeline, we will know whether the CCPA is likely to be rewritten before the AG’s office can even begin enforcing it (July 1). If the initiative proceeds to the ballot and is approved by a majority vote, the statute will take effect, and certain portions thereof (e.g., business-to-business and employee-related exemptions) would be operative, the fifth day after the Secretary of State certifies the election results. Certain other provisions would not be operative until 2023 and, in the interim, the current CCPA would govern.
Washington Privacy Act
Last year to the surprise of many interested observers, the Washington House failed to pass the Washington Privacy Act (SB 5376) that had sailed through the Washington Senate. Undaunted, Washington State Legislators plan to try again with a privacy bill that would give residents the right to opt out of data collection and to learn what data about them has been gathered, and request that such data be corrected or deleted. Violations would be prosecuted by the Washington State Attorney General, and the bill would not provide for a private right of action (although that could certainly change).
Reports indicate that the legislation would also contain limits on the use of facial recognition technology by government agencies and law enforcement, but it is not known whether any limits on this technology would apply to private sector industries as well. The new bill is expected to be introduced in early 2020.
Colorado Attorney General Phil Weiser recently made headlines when he confirmed that “it’s likely we pass a privacy law in Colorado in 2020.” Lawmakers in Virginia also recently pre-filed proposed privacy legislation.
In addition to Colorado, Virginia, and Washington, other states will certainly consider CCPA-like privacy legislation in 2020. Last year, around 15 states considered similar legislation. While some of those state legislatures (e.g., Texas) only convene every other year, there are a number of states poised to make a run at enacting consumer privacy legislation.
An important aspect of these laws that must be tracked is whether any state is willing to create a private right of action for violations of privacy-related rights. The CCPA does not create such a private right action, instead vesting enforcement solely with the AG’s office. If a state was willing to break down that barrier, it could lead to a tidal wave of privacy-related litigation.
It is also worth noting that on June 7, 2019, Maine Governor Janet Mills signed a data privacy regulation bill which bars broadband internet access providers from disclosing, selling, or permitting access to a consumer’s personal information unless the consumer gives express consent. The bill also prohibits broadband providers from discriminating against a consumer that refuses to provide consent to the accessing of his or her personal information. This new law will go into effect on July 1, 2020.
Illinois Biometric Information Privacy Act (BIPA)
In 2019, over 500 class action lawsuits were filed under Illinois’ BIPA statute, following a ruling early in the year by the Illinois Supreme Court that plaintiffs can bring claims under BIPA even where their biometric information was not improperly disseminated and they have not suffered any actual financial or other harm. In 2020, courts in this tidal wave of BIPA litigation should begin issuing decisions clarifying BIPA’s scope and addressing defenses raised by defendants. Facebook has petitioned the United States Supreme Court to review an August, 2019 decision by 9th Circuit which rejected Facebook’s Article III standing defense and affirmed the certification of a class that presents a multi-billion exposure to Facebook. A decision on whether the Supreme Court will accept review is expected in the first quarter of 2020. Other federal courts and Illinois state courts are expected in 2020 to issue rulings on constitutionality, statute of limitations, damages, statutory exclusions, and other unsettled BIPA legal issues.
State Cybersecurity Law
NY SHIELD Act
New York’s SHIELD Act, which will go into effect in 2020, focuses on three key areas. First, the law expanded the definition of private information. Second, the law tightened the requirements for providing data breach notifications. Third, the law imposes a new requirement on entities possessing private information associated with New York residents to implement “reasonable” security measures to protect that information.
The SHIELD Act does not give affected residents a private right of action for affected residents. Like the CCPA, enforcement cases are handled by the NY Attorney General’s office. Nevertheless, the potential penalties for an entity that violates the SHIELD Act are noteworthy. For data holders who fail to notify their employees or customers of a data breach, the SHIELD Act provides that monetary relief may be awarded to the victim. If New York residents do not receive data breach disclosure notices, and the residents were entitled to receive them, courts can award those residents monetary damages for actual costs or financial losses they incur as a result of the breach.
Amendments to Data Breach Notification Statutes
All fifty states now have their own data breach notification statutes. Each of the past few years, a subset of states have amended their statutes to expand the types of data elements covered by the statutes (e.g., adding biometric information), create new duties (e.g., requiring entities to notify the state Attorney General of the breach), and implement specific deadlines for providing notice.
For example, on January 1, 2020, Illinois’ Personal Information Protection Act, SB 1624, which amends Illinois’ data breach notification laws, went into effect. Under the amended law, “data collectors,” including all entities that handle, collect, or disseminate nonpublic personal information, must notify the Illinois Attorney General when a data breach occurs that affects more than 500 Illinois residents. The notification must include: 1) a description of the nature of the data breach; 2) the number of Illinois residents affected by the breach; and 3) the steps the data collector will take to remediate the breach.
Illinois is but one example of a state law that changed in 2019/2020. There is no reason why this trend will not continue in 2020 and beyond.
Statutory Damages for Data Breaches
Another significant issue worth keeping a close eye on is whether other states will follow California’s lead and implement statutory damages for data breaches. As noted, the CCPA creates statutory damages of between $100 and $750 per consumer, per incident for certain types of data breaches. If other states implement similar provisions, it would significantly increase the consequences of a data breach.
Statutory damages also could have a widespread impact on the cost and availability of cybersecurity insurance. The cybersecurity market has rapidly grown over the past few years. However, if the cost of a data breach is significantly increased due to the presence of statutory damages, insurance companies will need to respond by increasing the cost of insurance, limiting the companies that they will consider, and/or modifying coverages.
On January 1, 2020, IoT legislation went into effect in California and Oregon. Our analysis of those laws can be found here. It will be interesting to watch how these statutes are enforced and whether other states enact similar statutes.
Federal Privacy and Cybersecurity Law
Not only has the CCPA inspired the drafting of multiple other state laws, but it also has resulted in numerous federal data privacy legislation bills. For example, in 2019, lawmakers sponsored numerous federal data privacy bills, including the Filter Bubble Transparency Act, Do Not Track Act, DASHBOARD Act, ACCESS Act, and BROWSER Act.
Most notably, less than a week after Senate Democrats circulated the Consumer Online Privacy Rights Act (COPRA), Senate Republications followed suit with the United States Consumer Data Privacy Act of 2019 (CDPA). Both COPRA and CDPA provide a strong indication of the increasing federal support for national data privacy legislation. However, given the current divided Congress, the passage of federal data privacy legislation remains uncertain, as any successful legislation will require bipartisan support.
In March 2019, the FTC announced that it was seeking comment on proposed changes to the Gramm-Leach-Bliley Act’s Safeguards Rule as well as the Privacy Rule. In July 2019, the FTC announced that it was seeking comment on the effectiveness of the 2013 amendments the FTC made to the Children’s Online Privacy Protection Act and whether additional changes are needed. The FTC’s activity with these regulations will need to be monitored in 2020 and beyond.
The U.S. Department of Education will likely continue its increased focus on data privacy and security in 2020. Colleges and Universities need to pay careful attention to ED’s continued formal and informal guidance on the interplay between the privacy protections provided to students under the Family Educational Rights and Privacy Act (FERPA), the Higher Education Act of 1965 (HEA), and the Privacy Act of 1974 (Privacy Act). This will be of particular importance when an institution is contemplating agreements with third-party vendors that involve student data or information—the analysis will center on the source of the student data at issue. Colleges and Universities should also continue to update and build out their written privacy and security policies since, in addition to best practice, we anticipate that more and more auditors will start to request these types of materials during their annual audit visits.
Forthcoming “Foreign Adversary” Rule for Information and Data Transactions
In late November 2019, the U.S. Commerce Department published a proposed rule which would give the Secretary of Commerce authority on a case-by-case basis to prohibit persons subject to U.S. jurisdiction from engaging in information and communications technology and services (ICTS) transactions involving certain foreign governments or foreign persons that the Commerce Secretary has determined to be “foreign adversaries” (as well as persons subject to the jurisdiction or direction of such foreign adversaries) with the potential to negatively impact U.S. national security or the U.S. digital economy. In its current proposed format, the rule would retroactively apply to transactions initiated, pending or completed after May 15, 2019. This proposed rule has not yet become official and the Commerce Department is still in the process of accepting comments from the public. Comments on the rule were originally due on or before December 27, 2019, but the Commerce Department has now extended that comment deadline until January 10, 2020. The Commerce Department should issue a final version of this rule sometime in 2020 after it reviews those comments, although the exact timeline for the forthcoming final rule is currently unclear.
In the coming year, we will continue to monitor these (and no doubt other) issues. At this point, while no one can predict exactly what the legal landscape will look like when we enter 2021, it appears certain that the landscape will be much different than it looks today.