Now that I’ve finally (mostly) cleared out my inbox post-ILTACON, I have a few minutes to ruminate on the two data privacy sessions I attended. Tuesday’s session, titled Data Privacy: Everyone’s Getting In On It, featured Michelle Merola as the moderator and panelists Lauren Doerries, Tsutomo Johnson and Joshua Lenon. Thursday’s session, titled Data Privacy: The anniversary of GDPR and the shape of things to come, featured Terri Garland as moderator and panelists David Hansen, Richard Hogg, and me.
Both sessions looked at the current state of data privacy and the impact it’s having on all our organizations, whether law firm or corporate, but each with a different focus. Tuesday’s session focused mostly on the legislative aspects, Thursday’s on the practical application of the laws in the way we do business. Some of my takeaways:
- United States (US) legislation is sectoral, vertical, whereas the General Data Protection Regulation (GDPR) is all encompassing, horizontal. If you think about privacy laws that are in the common legal IT lexicon, things like HIPAA come to mind. The US laws are industry specific, regulating government, education, finance, banking, healthcare, and telecomm, but the US does not have one all-encompassing federal law (yet). Unfortunately, sectoral privacy isn’t going away in the US any time soon. Organizations need to be on top of changes in FTC, state-based, and international regulations.
- Data breach notification laws can vary widely across states. Thirty are somewhat similar, while the other twenty are all over the place. Some state laws require that you show damages, others don’t. Those states that don’t require proof of damages might see more lawsuits, especially in light of a litigious society – it introduces the potential for abuse of the law
- While the European Union (EU) Data Protection Directive, as a pre-cursor to GDPR, brought the concepts of data processors and controllers into our collective consciousness, GDPR was a sea change in privacy law. GDPR brought together disparate laws across multiple countries into one consistent law and created an extra-territoriality aspect that hadn’t really existed before.
- The California Consumer Privacy Act (CCPA) was referred to by Tuesday’s panelists as “a boondoggle”, “a mess”. I recently read an article that referred to it as a “dumpster fire”. Largely the issues with CCPA seem to be knowing when it applies and when it doesn’t. The CCPA as written becomes effective on January 1, 2020, allowing consumers to file suits regarding data breaches. But there is a second component that becomes effective on July 1, 2020 that allows the California Attorney General to initiate administrative action against an organization without an individual making a request.
- The CCPA creates data protection rights, and applies the concept of extra-territoriality , but the law does not apply to every company. Only companies that meet certain total revenue, percentage of revenue for consumer data, and/or percentage of CA residents’ data criteria are required to comply. Nonprofits are exempt from the organizational obligations under CCPA, but are not exempt from being sued if they lose user information in a data breach. So there are ways around the CCPA law, whereas with GDPR there is no ambiguity. The EU uses size of entity for the fine and not the size of organization to define who is subject to the privacy legislation.
- There have been thousands of enforcement actions taken under GDPR with varying tiers of fines. Globally fines have totaled about $50 billion. Violation of one regulation generates a red flag for other authorities, leading to potentially more fines if those authorities decide to act.
- The definition of personal data is incredibly broad. As defined under GDPR, any information, when taken in aggregate, which could be used to positively identify a person is considered personal data. David Hansen, for example, demonstrated how he can be positively identified by the fact that 1) he lives in a certain Utah town and 2) he owns a specific brand of sneakers (he showed them to us).
- Some small companies have claimed that the costs of compliance would put them out of business. How do you calculate the break-even point? A company’s average cost of compliance is about $1.5 million, and the average total cost of a data breach $3.9 million, about a third of which is loss of reputation.
- It’s more than just the right to be forgotten. GDPR outlines basic rights that individuals have to their information: erasure, consent, access, portability, correction. Those rights entitle you to know what information is being held, how it’s being used, and the right to rescind consent to your data being used.
- You need to understand what data you’re required to release, and what you’re exempt from. Identity verification is mandatory under CCPA. Releasing data without positive identification is a potential breach too!
- Privacy by Design is foundational in any system that stores data, and privacy impact assessments need to be conducted on all systems. It requires you to be proactive, not reactive. You need to know what information you’re collecting, how you’re processing it, and how you might be transferring it. Seek data minimization throughout the process. You can’t lose what you don’t have.
- A ‘Privacy Culture’ is just as important. You need to educate your users in your obligations as an organization. There is a difference between responsibility and accountability, and it extends from the mailroom all the way to the CEO or Firm Chair. Embed a culture of privacy into everything you do.
So how do we deal with all of these regulations? Understand that the regulations do overlap quite a bit. The work you’ve done to prepare for GDPR can be applied to CCPA and other impending laws. Conduct a gap analysis to see where you’re already compliant and where you need to update for new regulations. Prepare for the most restrictive laws, so you’re already in compliance with less restrictive laws as they’re ratified.
Privacy compliance is not a checkbox – it’s a journey.
This material is provided for your convenience and does not constitute legal advice or create an attorney-client relationship. Prior results do not guarantee similar outcomes.