When the California Consumer Privacy Act goes into effect on January 1, it will be the first major piece of American data privacy legislation – but it will likely not be the last. While 22 states currently have some form of data privacy law, many more will soon follow or be updated, if the growing call for regulation of data from nearly 20 billion internet-capable devices currently in use is any indication.
Though legislation from individual states creates layers of protection for constituents, it creates a host of compliance issues in the business landscape – namely, that the individual states’ laws will necessarily have different requirements and demand time and resources to satisfy each of them separately.
“A lot of companies want to build [legislation] on a national basis,” said Bruce Teichner, senior vice president and managing counsel at Wells Fargo, in a panel about the emerging data privacy patchwork at the Bloomberg Law Leadership Forum, held on Sept. 18, 2019, in Washington, D.C. “What is the standard that you are going to apply to the other 49 states? What exactly are you doing and what is the fallback when there are claims and issues in these other 49 states?”
Jo Ann Davaris, global chief privacy officer of Mercer, pointed to the open letter signed by 51 CEOs of major U.S. corporations in September 2019 that called for federal data privacy legislation that preempts individual state laws. That letter, which was signed by the likes of Jeff Bezos of Amazon and Jamie Dimon of JPMorgan Chase, addressed the need for corporate standards but also what they saw as reasonable protections for consumers.
“I know that when corporations speak up on the pro side of privacy, it’s sometimes not with a credibility behind it. Sometimes those that are speaking for privacy have gotten in trouble with the FTC or other enforcement agencies,” Davaris said in the same panel talk.
To her, this letter indicates that everybody is feeling the same pressure to anticipate forthcoming standards and devise ways to comply with rules that don’t yet exist. “We need to band together to have that be heard, that it’s important that bipartisanship aside, there has to be something that can be agreed on together,” Davaris said. “That is better than nothing, or the patchwork that’s coming.”
“From an industry perspective, it’s always great to see that this is becoming a more and more validated area, and things that we have asked for change in [are actually changing],” added Jennifer Couture, chief privacy officer and privacy legal counsel at Alexion Pharmaceuticals. “But at the same time we … keep feeling the financial impact of that.”
For its part, the Federal Trade Commission has been very vocal about asking Congress to give it rule-making authority and civil penalty authority in the area of privacy and data security.
Kristin Cohen, chief of staff for the Division of Privacy and Identity Protection for the FTC, spoke on the panel about the challenges her agency faces without civil penalties in addition to potential disgorgement or redress.
“Being able to tie a particular breach or a particular privacy practice to a consumer’s injury is often very challenging, so in order to really be able to provide deterrents and get companies to really be paying attention to this, we need civil penalty authority,” Cohen said.