It is an understatement to say that a lot has happened in privacy law during the past decade. Here is my list of the most notable developments.
NOTE: I am giving a particular emphasis to what I find to be notable from a United States perspective. What is notable privacy law depends upon where one is situated. For example, if one is from a small country, that country’s developments are quite notable even if not well-known on a worldwide stage.
This cartoon depicts the travails of complying with the CCPA as it rapidly evolves. The CCPA originated when a referendum regarding consumer privacy rights was scheduled to be on the ballot in November 2018. Alastair Mactaggart, the referendum’s sponsor, offered to withdraw it if California passed a law. So, in the summer of 2018, the California legislature passed the CCPA in an all-out dash to beat the deadline for the referendum’s withdrawal
Businesses scrambled to get ready to comply for the CCPA’s effective date – January 2020. Being ready to comply with the CCPA requires quite a lot of work. Further complicating compliance, the CCPA is riddled with ambiguities and difficult tradeoffs between privacy and data security.
This cartoon depicts the challenges of multi-jurisdictional privacy law compliance. In 2018, organizations scrambled to comply with the GDPR. In 2019, businesses are scrambling to comply with the California Consumer Privacy Act (CCPA). And, there will be a new referendum on privacy law in California next year — CCPA 2.0. There’s a flurry of legislative activity in the states on privacy — IAPP has a great chart tracking what is going on. And, each year, more and more countries are passing new comprehensive privacy laws.
We are witnessing the growing pains of privacy law. Privacy wasn’t adequately regulated for too long, and now the concerns are festering, sparking a rush to action. In the US, state legislation on privacy will continue until the concerns are allayed. A thoughtful and powerful federal law could weaken the enthusiasm for states to jump into the fray, but this is a challenge with Congress as polarized as it is.
This cartoon is about data subject access requests (DSARs) — sometimes called “subject access requests” (SARs). The GDPR Article 15 provides for DSARs. The new California Consumer Privacy Act (CCPA) provides individuals with a right to learn about the personal data collected and shared about them over the past 12 months.
I was recently giving a presentation about new privacy laws, and I created the infographic above to catalog the various elements that privacy laws often have. Going through this list can help to assess how complete a privacy law is. For example, the California Consumer Privacy Act (CCPA) is often compared to the General Data Protection Regulation (GDPR), and I’ve heard it sometimes referred to as a GDPR in the United States. But the CCPA is far different from the GDPR, as the GDPR is significantly more comprehensive and has many more dimensions than the CCPA. For example, the GDPR has a broader scope (covers more types of entities) and has many provisions about responsibilities and governance that the CCPA lacks. Indeed, the GDPR has most of the elements in this list. In the US, HIPAA comes the closest to the GDPR in terms of how many items it has from the last, but HIPAA is just limited to certain forms of health data.
The vast majority of privacy laws have provisions relating to their scope and applicability, a definition of the personal information that they regulate, individual rights and organizational responsibilities, enforcement provisions, and a particular position with regard to preemption.