Over the past year, the realm of data privacy has drastically changed as consumers and regulators alike focus more intently on protecting the information individuals share with businesses. During the course of 2018 alone, large-scale data breaches such as those affecting Facebook, Equifax, Yahoo, and Marriott impacted hundreds of millions of consumers. In 2019, businesses can expect a continued focus on data privacy matters and enforcement of new laws designed to protect consumers from lax security practices and opaque privacy disclosures.
With the new year kicking off, here are the top four privacy trends businesses need to pay attention to in 2019.
1. California Consumer Privacy Act of 2018 (“CCPA”)
Signed in 2018, the CCPA will go into effect in 2020, meaning 2019 is the year for businesses to assess their operational compliance and begin putting in place required policies and procedures. At the high level, the CCPA gives California residents the right to know the data collected from and about them, the purposes of the collection, and how that data will be used or shared. Also, Californians may opt out and restrict companies from selling their information.
Generally, companies subject to the CCPA are for-profit companies that collect private information from consumers. If a company is operating in the state of California and meets one of the following thresholds, they may be subject to the CCPA:
- the business has revenue of $25 million dollars or more in a given year;
- the business buys, sells, or receives personal information of 50,000 or more consumers, households, or devices for commercial purposes; or
- the business derives 50% or more of its annual revenue from selling a consumer’s personal information.
The CCPA is a first-of-its-kind-law in the United States centered around data privacy. Its strict privacy requirements will have serious implications on the technology industry, as well as companies that primarily engage in data collection and sale such as lead generators. Although the law is subject to change before implementation, and the California Attorney General has already requested some modifications including an enhanced private right of action, businesses should begin planning and implementing revised data privacy standards in 2019 so they are ready to go come January 1, 2020.
2. European Union’s General Data Protection Regulation (“GDPR”)
The GDPR took effect on May 25th, 2018 and governs data privacy practices for businesses collecting or processing personal data of individuals located in the European Economic Area and Switzerland. The primary purpose of the GDPR is to give individuals control over their personal data and protect their privacy interests in such data.
Under the GDPR, individuals have many rights afforded to them including:
- the right to be informed about how the data is processed;
- the right to access the personal data collected;
- the right to have incorrect information corrected;
- the right to have personal information erased;
- the right to restrict processing of one’s data;
- the right to data portability;
- the right to object to data processing; and
- the right to have requests processed by natural persons as opposed to automated systems.
If a company violates a consumer’s rights under the GDPR, it could be fined up to 4% of its global revenue or €20 million, whichever is greater.
Many companies have found that compliance with GDPR takes considerable time and investment. From developing new policies and procedures and implementing new security protocols to performing risk assessments and mapping data flows, companies should expect that a comprehensive GDPR compliance system will require investing tens of thousands of dollars on the low end and millions of dollars on the high end. However, given the steep penalties and reputational risk of GDPR violations, this investment is well worth the time and capital.
3. Federal Trade Commission’s (“FTC”) Focus on Data Privacy and a National Data Privacy Law
Over the past year, many privacy groups have been calling on Congress and the FTC to enact stricter privacy laws and regulations. The FTC recently addressed these frustrations and concerns in a hearing held on data privacy in December. During the opening remarks of the hearings, Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, stated:
“This is an excellent opportunity for us to revisit policies and question old assumptions. Data security will continue to be an important priority for the FTC, and the FTC will not be retreating from its role as the nation’s primary data security law enforcement agency.”
During the two-day hearing experts discussed the need for increased data security of private information and the negative implications that arise from increased regulations. Overwhelmingly, the experts testifying called for uniformity of laws. In an instance of cooperation, trade groups and technology companies also have pushed for a national uniform data privacy law. Given the agreement between government and industry on the need for uniform standards, it is likely that we will see progress on a national data privacy law in 2019.
4. States Strengthening Their Own Data Privacy Laws
Over the course of 2018, 11 states passed legislation expanding data breach notification rules and, in some cases, enacted more stringent laws intending to protect consumers:
- Alabama (SB 318) – Passed its first data breach notification law
- Arizona (HB 2145) – Expanded current breach notification, the definition of personal information, and tighten notification timelines
- Colorado (HB 1128) – Strengthened consumer protection laws by requiring formal security policies and increased oversight of third parties
- Iowa (HF 2354) – Passed legislation regulating online services and mobile apps for students
- Louisiana (Act. No. 382) – Strengthened current data breach law
- Nebraska (LB 757) – Enacted a requirement to maintain specific security practices and procedures that flow down to third parties
- Oregon (SB 1551) – Strengthened data breach notification laws
- South Carolina (H4655) – Enacted a law that imposes heightened breach notification and security requirements (specifically on the insurance industry)
- South Dakota (SB NO. 62) – Enacted its first data breach notification law
- Vermont (H. 764) – Enacted legislation regulating data brokers
- Virginia (HB 183) – Amended its breach notification laws regulating data brokers
In 2019, businesses should expect more of the same as states work to respond to growing public pressure for data privacy protections and many attorneys general seek to fill the “enforcement void” they believe they are seeing at the federal level.
Overall, businesses should be aware of the possible changes that will occur to data privacy laws over the course of 2019. Ignoring the growing call for uniformity and protections from breaches will leave a business behind the curve and expose it to ever-growing risk. By taking the time to invest in stronger data privacy protections now, smart businesses will be well-positioned to deal with the data privacy challenges of this year and beyond.
* Tanner Lawrence contributed to this post.