Top Policy Trends 2020: Data privacy

The CCPA (explained here for consumers and businesses) went into effect on January 1, 2020. Like GDPR, the CCPA has inspired other jurisdictions—Hawaii, Massachusetts, New Jersey, Pennsylvania, Rhode Island, Puerto Rico and Washington—to propose privacy bills. The effect of CCPA is rippling through the nation, as companies like Microsoft choose to apply the rules throughout the United States. More than one-third of businesses will fulfill CCPA requests from anyone, not just California residents, according to a PwC survey of CIOs. Many financial services companies and healthcare companies say they will not exercise CCPA exemptions for data covered by HIPAA and GLBA.

Spending on CCPA compliance is extensive: 43% of businesses will spend more than $10 million, with 20% topping $100 million. Driving the high costs are expectations of a high volume of consumer calls: two-thirds of companies to field more than 500 calls per day, with 11% planning for over 10,000 daily.

State attorneys general are likely to have a greater impact on privacy law enforcement than any US governmental agency. The New York Attorney General’s office has already levied fines of more than $600 million related to data breaches based on existing statutes. It also recently joined the Federal Trade Commission (FTC) in levying fines for violations of children’s online privacy.

More state laws are coming: In 2019, bills or draft bills on consumer data privacy were introduced and are pending in at least 18 states and in Puerto Rico. The Mind Your Business Act, introduced by Sen. Ron Wyden (D-OR) in October 2019, calls for state AGs to be empowered to enforce data privacy regulations. While it’s unlikely to become law, the act captures the spirit of more punitive enforcement—allowing privacy watchdogs to sue on behalf of individuals, and imposing tax penalties on companies when their CEOs misrepresent privacy practices.

In Congress, efforts are afoot to create a national privacy law. Various members of the US Senate are jockeying to have their data privacy law pushed through first. The Senate Commerce Committee’s Chairman Roger Wicker (R-MS) and Ranking Member Maria Cantwell (D-WA) have been working on building consensus around the legislation since fall 2018. Meanwhile, the Senate Banking Committee’s Chairman Mike Crapo (R-ID) and Ranking Member Sherrod Brown (D-OH) have been drafting their own version of privacy legislation.

Meanwhile, in the House, the Online Privacy Act of 2019 (HR 4978) introduced by Reps. Anna Eshoo (D-CA) and Zoe Lofgren (D-CA) in November 2019 calls for establishing an independent federal agency to enforce privacy protections and investigate abuses.

Business leaders and groups have become more vocal about the high cost and ineffectiveness of fragmented, and sometimes conflicting, state privacy laws. The Business Roundtable’s 2020 American innovation agenda calls for harmonizing approaches to data privacy and security to remove roadblocks to innovation. Its push for a single national privacy law puts enforcement in the hands of the FTC, one of the few things that most proposed federal privacy legislation agree on. 

But many efforts to craft a national privacy law have failed. Legislators and business leaders hold opposing positions on the basic principles from which rules flow. For example, Apple CEO Tim Cook, in a speech expressing support for a US data privacy law, raises at least three points that are not universally held: "We at Apple believe that privacy is a fundamental human right[…]Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency[…]We’re not willing to leave our users to fend for themselves. And, we've shown, we'll defend those principles when challenged.”

CCPA resulted from the work of concerned citizens Alastair Mactaggart, Rick Arney and Ashkhan Soltani. As chronicled in a  New York Times Magazine article, they were troubled by the amount of data companies are allowed to collect to make “increasingly precise guesses about what you wanted, what you feared, and what you might do next.” So they set out to take on the data industry. By putting the question directly to consumers on a state ballot initiative, it remained a citizens’ movement until the California State Legislature wrote what is now known as CCPA. Mactaggart will follow the ballot initiative path again in 2020 with his proposal to strengthen consumers’ control over their personal data, as well as organizations’ obligations around data privacy. 

Meanwhile, the US does not lack for business models that prioritize privacy—although going up against the giants has limited their scale. Gabriel Weinberg, CEO of browser DuckDuckGo, advocates the right of individuals to opt out of online tracking. Among the implications is the return to contextual ads, instead of behavioral ads that follow individuals as they search, buy and interact online. There are also social media start-ups that won’t make money from personal information or ads.