A year ago, we learned that political data firm Cambridge Analytica had obtained the records of more than 50 million Facebook users. In the wake of the seemingly endless parade of privacy scandals that followed, the public is finally fed up. Americans are collectively tired of data breach notices, having credit cards replaced and learning from the New York Times, instead of Facebook, how exactly Facebook is using their data.
Where the public is angry, law is sure to follow. Legislators worldwide are stumbling over one another to do something—anything—to avoid doing nothing. The result is an alphabet soup of existing or proposed state and federal privacy regulations, many not yet in final form. The laws apply across broad swaths of geography to some but not all businesses in the United States and bring with them a set of overcomplicated or not-yet-finalized rules. From the European Union, we have the General Data Protection Regulation; from Canada, the Personal Information Protection and Electronic Documents Act; from California, the California Consumer Privacy Act; from Washington State, the Washington Privacy Act; and from the federal government, the Consumer Data Protection Act. The list goes on.
Thus, businesses find themselves in a privacy bind. They want to comply but are finding it next to impossible even to determine which laws apply to them, let alone what those laws require. For the privacy-law weary, a few thoughts to help weather the storm:
First,privacy law is no longer a question of “if,” but “when” and “what.” Reorganizing your operations to avoid the EU’s GDPR by, for example, eliminating European employees and subsidiaries or culling mailing lists, makes little sense now that we can see wave after wave of similar U.S. laws on the horizon. What’s the point of avoiding GDPR only to be hit by some other law with basically the same requirements?
Second, figuring out exactly which states’ privacy laws apply to your business is hard. Predicting what those laws will require is not. Most of the laws say about the same thing: Notify users how and why you use their data; be prepared to respond to individuals’ requests to obtain, modify, or delete information you have about them; and adopt commercially reasonable security measures in relation to that data. If, for example, an individual customer asked you for copies of all the data you have about him or her (even in emails), would you know where all that data is located? You should. Do you store user passwords in plaintext, weakly hashed, or in an unencrypted database? You shouldn’t.
Third, with those basic requirements in mind, get started now. Take high-level, generalizable steps toward compliance: 1) map and classify your organization’s data so you know what you have; 2) ensure you have the technical capacity to retrieve data about individual customers or employees in a timely fashion; 3) develop a policy for handling access requests (e.g. whose job is it to review them?); 4) review your data protection agreements with business partners to ensure they are up to date.
Businesses are in an odd position. The legal landscape is unclear, but sitting back and waiting until the dust settles could be costly. Privacy law is picking up steam across the country, with numerous bills threatening hefty fines or consumer class-action liability for noncompliance. Because compliance takes time, businesses must begin efforts now to comply with privacy laws not yet in force (California’s CCPA takes effect in 2020) even while it remains unclear who it is that will ultimately do the regulating (the federal government or some collection of state laws).
Fortunately, the end result—GDPR-style individual privacy rights in the U.S.—is clearer than the path we will take to get there. Businesses can start taking the initial steps toward privacy compliance now and by doing so will position themselves well to address whatever data privacy framework or frameworks ultimately apply.
Greg Dickinson is a senior associate attorney with Harter Secrest & Emery LLP. His legal practice focuses on privacy and data security, technology and commercial and appellate litigation.