If you have any online commerce with America at all, then you probably know that the US has until recently had only the thinnest patchwork of state and federal laws governing personal data protection. There are a few federal regulation’s covering very specific sorts of data misuse (e.g., children’s data, healthcare data, driver’s license data, credit data), most of which need not concern most businesses. As for the states, while most required notification of a data breach, only Massachusetts required companies to have an actual written policy on how a company collects and uses data.
It was this dearth of regulation that lead to the famous Privacy Shield for European companies wishing to transfer data to the USA. But all that changed in June 2018 when California adopted the California Consumer Privacy Act (CCPA), due to become effective in January 2020.
The CCPA was a marked shift in approach to data protection in the US, and there’s no surprise that is was promulgated in California, possibly the most progressive of states in terms of consumer protections. Drawing extensively from GDPR, its goals are the same: Responsible stewardship of personal data, transparency, and providing control to data subjects. While there are significant differences in approach of each regime, perhaps the biggest difference, quite ironically, is due to something they have in common: A “private right of action”.
That is, individuals in both Europe and Californians can privately file civil lawsuits for money damages due to breaches of the respective laws. In Europe, a civil suit for money damages in such a scenario would be a serious problem to be avoided. In America, on the other hand, a class-action lawsuit in these circumstances could be catastrophic. If you know anything about litigation in America, then you know that it can be debilitatingly expensive and time consuming as compared to that in the UK or Europe; and while the CCPA’s right to sue is somewhat limited, it still presents significant risks.
What has halted Congress’ deliberations toward an over-riding federal law is a two-pronged problem. First, consumer advocates lobby in favour of a private right of action, while industry lobbies against it. Second, and just as importantly, states are divided as to whether a federal law should have supremacy over differing state laws (i.e., whether federal law should “pre-empt” conflicting state laws) as regards the private right of action. So, suppose Congress enacted data protection that does not allow private enforcement through lawsuits. Would that federal law then pre-empt the CCPA which does allow such suits? Given that California by its sheer size has 53 of the total 435 representatives in the lower house of Congress, a federal resolution seems complicated indeed. Moreover whether a final federal law does or does not include a private right, the decision will anger a large constituency of America.
Adding to this complication is creeping chaos among the states that do legislate in the absence of over-riding federal laws; for they do so regardless of whether their laws conflict with laws of other states. Since CCPA was enacted, at least six other states have introduced similar laws, including New York’s heralded Privacy Act, which not only had a private right of action, but sought to make data collecting companies fiduciaries of the people whose information they collected. Had the bill passed, it would have added yet another complicating layer for companies trading in both New York and California, necessitating a system to treat data subjects in each state differently. Mind, you, there still would be potentially 48 more states to go!
A discussion of the various state laws and their differences is beyond the scope of this article. Suffice to say for now that, other than GDPR, CCPA is the most comprehensive state law European companies will need to deal with when collecting personal information in the USA; and it does not look like any federal law will supersede this this anytime soon.
My personal view is that Congress, rather than putting their collective necks on the line, would rather wait and see how state regulation pans out… what problems it solves and creates, after which they may ride in like the cavalry to write and adopt the least objectionable form of regulation they can.
Until then, European companies or their US subsidiaries, depending upon the character and extent of their data collection in the USA, would be wise to do the following in preparation for CCPA:
- Review the personal data they hold, especially in light of California’s broader definition of personal information;
- Determine which data is controlled or processed and is most at risk, making sure that access rights to such data are clear and verifiable;
- Determine whether contracts with clients, customers, vendors or suppliers fall within any exception for service providers;
- Confirm that opt out or delete me requests are actionable and verifiable;
- Prepare and incorporate privacy notices compliant for both GDPR and CCPA;
- Prepare an internal auditing procedure to ensure compliance with all aspects of the laws, overseen by staff dedicated to the regime.
Until the US Congress finds a safe path to data regulation based on verifiable experience and that won’t alienate important constituencies, it looks like we’ll be stuck with a bit of a patchwork.
As always, feel free to contact us with any questions you may have.