Thursday, January 2, 2020

Was 2019 the “Year of Privacy” in the U.S.? (Or Will It Be 2020?)

What a year it has been! As one year closes and another begins, let us take a moment to reflect on the significance of 2019. It may not be an exaggeration to say that 2019 brought some of the most important changes in privacy and data security law that most of us have seen in our professional careers.

Yet, with all the momentum toward heightened consumer data protection, there remain conspicuous absences: Congress again considered, and again failed to deliver, a comprehensive privacy and data security bill. The North Carolina General Assembly declined to meaningfully revise the State’s core privacy and cybersecurity statute (the Identity Theft Protection Act or ITPA); House Bill 904, the most recent incarnation of Representative Jason Saine’s and Attorney General Josh Stein’s bipartisan update to the ITPA, languishes in the General Assembly. The General Assembly did, however, approve some modest updates to the data security laws affecting North Carolina government entities, in HB 217/SL 2019-200, giving the State Chief Information Officer greater oversight of State agencies’ cybersecurity controls.

Other states were more successful in modernizing privacy and data security laws in 2019. Forty-three states (and Puerto Rico) considered more than 300 proposed changes to privacy and cybersecurity laws in 2019, ultimately enacting 31 statutes. Although they cannot all be described in detail in this post, most have at least one of the following aims:

  • requiring government agencies or businesses to implement training or specific types of security policies and practices;
  • creating task forces or commissions;
  • restructuring government for improved security;
  • studying the use of blockchain for cybersecurity;
  • providing for the security of utilities and critical infrastructure;
  • exempting cybersecurity operations information from public records laws;
  • addressing the security of connected devices (the Internet of Things);
  • regulating cybersecurity within the insurance industry;
  • providing funding for improved security measures; and
  • cybersecurity threats to elections.1

One state law, of course, stands out from among all others. Throughout 2019, the California Consumer Privacy Act (CCPA) dominated the headlines (as well as the thoughts, dreams and nightmares of privacy and data security lawyers). The CCPA is driving a fundamental shift in the way we think about data protection in the United States, forcing companies to carefully contemplate the personal data they collect, hold, use, and share. Though it lacks the aggressive extraterritorial reach of Europe’s General Data Protection Regulation, the CCPA will apply to many companies throughout the United States and around the world, including many North Carolina-based businesses. Though enacted in 2018, the CCPA was amended, and proposed regulations were released, in late 2019; and with a January 1, 2020 effective date, most practitioners were intensely focused on the CCPA throughout 2019.

Even as 2020 arrives, companies are still wrestling with many patent and latent ambiguities in the CCPA and its proposed regulations. In fact, many have argued that the California Attorney General’s proposed regulations added to the ambiguities rather than reducing them. The regulations are expected to become final very soon, and the Attorney General stated publicly, that the final regs are not expected to differ substantially from the proposed regs—in other words, the final regulations are unlikely to offer new answers.

Because the California Attorney General’s proposed regulations were released so late, and were not made official by the statutory effective date of January 1, the Attorney General is delaying enforcement of the regulations by six months—until July 1. However, his office intends to take action on violations of the statute that occur between January 1 and July 1, and plaintiffs could bring claims under CCPA beginning January 1. Accordingly, most companies would prefer to achieve compliance sooner rather than later. That may be easier said than done. Even companies that have been actively pursuing compliance since 2018 were forced to pivot due to the various amendments passed in September 2019 (and the failure of some amendments to pass) and the new requirements imposed by the proposed regulations released in October 2019, putting them far behind schedule. According to a survey conducted by the International Association of Privacy Professionals in April 2019, one-quarter of companies were targeting compliance by July 1 (the enforcement date), rather than January 1 (the effective date); in a subsequent survey this summer, the number had grown to one-third. My suspicion is that a majority of companies subject to the CCPA are now targeting a July 1 compliance date, in light of the many new and different requirements and uncertainties arising from the amendments and regulations.

As dramatic as 2019 has been for privacy and data security law, 2020 may be even more eventful. We can be fairly certain that plaintiffs will bring actions under CCPA and other laws; the Federal Trade Commission, state Attorneys General, and other domestic authorities will bring enforcement actions; states and municipalities will continue to enact divergent data protection laws, further complicating the domestic legal landscape; and foreign nations will continue to adopt data protection laws, largely drawing upon common principles found in the GDPR and its predecessors. On top of all of this, the creator of the CCPA, Alastair Mactaggart, is already advancing a so-called “CCPA 2.0” to tighten the requirements and strengthen enforcement. It is an exciting (and sometimes frightening) time to be a privacy and data security lawyer. I look forward to navigating these uncharted waters along with you in 2020! 

[This blog post is re-posted from the North Carolina Bar Association.]