This cartoon depicts the challenges of multi-jurisdictional privacy law compliance. In 2018, organizations scrambled to comply with the GDPR. In 2019, businesses are scrambling to comply with the California Consumer Privacy Act (CCPA). And, there will be a new referendum on privacy law in California next year — CCPA 2.0. There’s a flurry of legislative activity in the states on privacy — IAPP has a great chart tracking what is going on. And, each year, more and more countries are passing new comprehensive privacy laws.
We are witnessing the growing pains of privacy law. Privacy wasn’t adequately regulated for too long, and now the concerns are festering, sparking a rush to action. In the US, state legislation on privacy will continue until the concerns are allayed. A thoughtful and powerful federal law could weaken the enthusiasm for states to jump into the fray, but this is a challenge with Congress as polarized as it is.
This cartoon is about data subject access requests (DSARs) — sometimes called “subject access requests” (SARs). The GDPR Article 15 provides for DSARs. The new California Consumer Privacy Act (CCPA) provides individuals with a right to learn about the personal data collected and shared about them over the past 12 months.
I was recently giving a presentation about new privacy laws, and I created the infographic above to catalog the various elements that privacy laws often have. Going through this list can help to assess how complete a privacy law is. For example, the California Consumer Privacy Act (CCPA) is often compared to the General Data Protection Regulation (GDPR), and I’ve heard it sometimes referred to as a GDPR in the United States. But the CCPA is far different from the GDPR, as the GDPR is significantly more comprehensive and has many more dimensions than the CCPA. For example, the GDPR has a broader scope (covers more types of entities) and has many provisions about responsibilities and governance that the CCPA lacks. Indeed, the GDPR has most of the elements in this list. In the US, HIPAA comes the closest to the GDPR in terms of how many items it has from the last, but HIPAA is just limited to certain forms of health data.
The vast majority of privacy laws have provisions relating to their scope and applicability, a definition of the personal information that they regulate, individual rights and organizational responsibilities, enforcement provisions, and a particular position with regard to preemption.
These days, there seems to be a lot of energy around a federal comprehensive privacy law in the United States. When the US Congress started passing privacy laws in the 1970s, 80s, and 90s, it eschewed the route of passing a comprehensive privacy law, opting instead for the sectoral approach — passing a series of narrow industry-specific laws. Then, in the late 1990s and early 2000s, there was a brief debate in the US about passing a comprehensive privacy law, when a few companies suggested it. But most companies shot down the idea. They liked the sectoral approach. They were okay with being regulated by a patchwork of various federal and state privacy laws.
At the time, when discussing the issue at conferences and events, I said that this view was short-sighted. The rest of the world was starting to move toward a comprehensive privacy law. The patchwork of laws left many gaps and holes in privacy protection and had countless inconsistencies. Congress did nothing.
Congressional Paralysis and the Rise of the States
Since 2000, Congress has largely been unable to pass many privacy laws. It has largely passed amendments to existing laws, but it hasn’t passed many major pieces of sectoral privacy regulation, let alone a broader privacy law. Partisanship, as well as a lack of compromise and maturity, have rendered Congress unable to craft laws with the nuance and balance needed to address privacy and data security issues. During this time, the states have passed a blizzard of laws. Every state has passed a data breach notification law. States have passed countless privacy laws too — especially California.
A New Urge for Congress to Act
The EU’s General Data Protection Regulation (GDPR), which started being enforced in May 2018, and the passage of California’s Consumer Privacy Act (CCPA) have reignited the debate over a comprehensive federal privacy law. “It’s time,” many people are saying. Now, industry is crying out for a comprehensive federal law. In November 2018, in response to a call for comments on a federal privacy law by the NTIA, numerous companies responded by stating that they were now in favor of a federal privacy law.
But with this Congress, I think that a comprehensive privacy law is unlikely.
For years, many policymakers, industry representatives, and commentators were opposed to a comprehensive federal privacy law. They typical federalism arguments were often trotted out. Then, in 2018, California passed the California Consumer Privacy Act (CCPA). Now, there seems to be a chorus for a comprehensive federal privacy law with preemption. I’ll be posting soon about my thoughts on a federal law and on preemption.