The California Consumer Privacy Act and the Future of Privacy Law in the US

Posted by Mark Greisiger

A Q&A with Jon Neiditz of Kilpatrick Townsend & Stockton LLP

Passed in 2018 and slated to go into effect January 2020, AB 375 or The California Consumer Privacy Act (CCPA) was created to give consumers better ownership and control over their personal data but opens up a world of compliance questions for businesses that sell such data. We spoke with Jon Neiditz, who co-leads the Cybersecurity, Privacy and Data Governance practice at Kilpatrick Townsend and Stockton LLP about the Act and its implications for the future of privacy regulation.

How does CCPA differ from Europe’s recently passed GDPR law?

The EU data protection has for decades – understandably given history – disfavored “automated decision-taking,” and the GDPR now disfavors profiling, creating broad obstacles for the digital economy. Instead, the CCPA focuses its special burdens more narrowly on data brokers. In light of recent revelations about Cambridge Analytica, the Act was written with the intent of changing the digital economy relating to the sale of personal data. Under the Act, entities that sell personal data must put a button on the homepage of their company sites that allows consumers to opt out of having their personal information sold to third parties. Because CCPA does not create special obstacles for automated processes, it creates more of a level playing field between AI and humans, which depending on your outlook, can be good or bad, but it certainly enables technology innovation and, I believe, may therefore be a better basis for an American GDPR.

What challenges does CCPA pose to companies, and what changes are we likely to see?

Both CCPA and GDPR reach deep into operations regarding user rights; GDPR reaches much more deeply into many other areas of operations , but both require companies to reorganize their systems and data in order to respond to consumer rights. But CCPA was drafted hastily, and much of it, even after technical fixes, does not make sense yet; significant legislative changes are expected in 2019. Because these laws, unlike the breach notification laws, reach so deep into operations, the prospect of similar but different laws like CCPA in other states is an enormous concern, potentially unworkable and maybe unconstitutional. The result is that passage of this act has created an unstable environment in which every industry is beating a path to Congress to ask for national legislation.

What other developments are changing the future of privacy law?

A big one is the LabMD decition by 11th Circuit Court of Appeals; the FTC failed to petition for cert to the Supreme Court by the deadline, so it is now the law of the land. This case goes to the heart of what FTC is doing in information security, determining that the agency’s “unfairness” consent decrees requiring information security programs are too vague to be constitutional. To get more specific through rules on information security, as the FTC is contemplating, would be a mistake except in setting minimum standards for “low-hanging fruit;” the threats change too fast for the FTC to keep up, even if they hire a lot more technologists, and the needs for public-private cybersecurity initiatives transcend FTC-style regulation of whether corporations practice “reasonable” security. Meanwhile, the tech companies (in their testimony of September 26th) all expressed their agreement with privacy advocates that there should be strong federal privacy legislation enforced by the FTC. The net-net, I believe, combining the impact of the CCPA with the impact of LabMD, is that we should have a new privacy regime enforced by the FTC and a new approach to cybersecurity outside of the FTC.

Is there any upside to the adoption of CCPA?

The vast majority of people—privacy advocates, businesses, everyone—absolutely hate CCPA. It will most certainly have to be modified to be put into practice. However, I see something there that we can work with and a productive threat. It creates a new opportunity for everyone in their respective corners to come together and create a new kind of privacy law that actually works.

In summary…

We want to thank Mr. Neiditz for his legal insights into this looming 2020 cyber risk issue facing most large organizations operating in the USA. He underscores the key focus of the CCPA, to require companies to be more transparent about their data collection methods and data sharing practices, thus allowing a data-owner to have a say. With our business operations and personal lives so intertwined and increasingly dependent on technology/data, it would seem that this type of law is important for maintaining checks and balances. But equally important are the new risks facing organizations as they realize that their practices do not match their intended privacy promises to customers. It will be interesting to see whether this regulation serves as a basis for even more privacy-related class-action litigation exposure once it goes live.

A final thank you to Mr. Neiditz, who has been a thought leader for NetDiligence and our cyber risk insurance clients for over a decade. We value his opinions and advice.