Category: Uncategorized

We participated in this year’s Privacy Law Salon: Privacy Roundtable, a unique meeting where the most experienced privacy leaders engage in candid roundtable discussions about today’s most pressing privacy issues, under the Chatham House Rule. We share below our main takeaways from the Roundtable in a high-level, non-attribution format.

On the CCPA & Other State Privacy Laws

Privacy leaders commiserated on the CCPA, citing the uncertainty stemming from vague definitions, unauthenticated individual rights requests, the lack of harmony in compliance approaches, and the anticipated lawsuits from the data breach private right of action. The uncertainty is compounded by the “copycat” laws introduced by some states that have chosen the CCPA (instead of the GDPR) as its model. The slew of uncertainties aside, participants criticized the CCPA for adding consumer confusion and for not furthering consumer privacy, instead identifying the emerging copycat laws as the CCPA’s real impact.

Some were particularly concerned by the impending enforcement actions by the California Attorney General and the accompanying CCPA regulations that the AG was tasked to promulgate. But others noted the AG’s pragmatic history as a privacy enforcer, citing its record under California’s existing “Shine the Light” law, which gave consumers the right to obtain an accounting of how, and to whom, their personal information had been sold in the past year.

The Roundtable participants brainstormed ideas to tackle the CCPA and growing number of state privacy laws. Some had gotten involved in task forces to establish compliance approaches, norms, and best practices, but others were hesitant to direct energy and resources towards these initiatives given the CCPA Regulations are still in draft and in light of the new ballot initiative, the CPRA, that Alastair Mactaggart introduced for the November 2020 ballot.

Given the uncertainties, practitioners are in favor of taking an incremental (versus long-term) approach to CCPA compliance. Privacy resources are scarce and expensive. Instead of investing in long-term and expensive technology solutions, some are putting up process-based defenses in the meantime, in case they are placed in a position to defend their compliance approach.

It was the perfect setting to debate the privacy law model that privacy practitioners believe ought to be in place, comparing the GDPR, the CCPA, and the data fiduciary models that different states like New York have proposed. A participant highlighted Oregon’s thoughtful approach, which involves a task force and dialogues with different stakeholders. The questions in everyone’s mind were: How do we come up with a better privacy law that protects consumers where they actually care? How do we rise above the “silly” minutia and tackle the real and important issues in privacy? (More on the latter under the Hot Topics section towards the end of this post.)

On a Federal Privacy Law

As many US privacy professionals know, the two main sticking points for a federal privacy law are: preemption and a private right of action. Industry wants broad preemption to address the state uncertainties and a narrow privacy right of action, if any.

For preemption, the question that legislators, lobbyists, and consumer protection groups will have to negotiate is the level of preemption. Should we have field preemption or a HIPAA-like floor?

For a private right of action, participants noted that Congress would need to define injury, class action applicability, and removal rules.

Several federal privacy bills have been introduced, some of which are summarized below. And although they all differ in substance, they all have one thing lacking: the regulation of government to address governmental privacy abuses. In light of this, the main sentiment is that the US will not have a robust omnibus privacy law.

Other issues that were highlighted from the proposed bills are:

• Algorithmic impact assessments – What would these even look like?
• The duty of care, loyalty, and confidential – Some of the bills seem to conflate these different duties.
• A data protection agency (DPA) separate from the FTC – The practitioners seemed to be split on either side of this. At PIX, we recognize the FTC’s robust experience as a privacy and security regulator in the US, while also acknowledging its limitations in authority and resources. Some practitioners argued out that we need a DPA that has congressional independence, pointing out that the FTC can never regulate government abuse. Others commented that there is no will, no path, and no incentive for legislators to create a separate DPA.

Consumer Online Privacy Rights Act 

COPRA was introduced by Senator Cantwell and other Democrats. Some supporters have signaled leaving. Some of its features are:

• Obtain affirmative express consent from individuals prior to processing sensitive covered data;
• Provide transparent privacy policies;
• Maintain reasonable data security practices;
• Conduct privacy/risk assessments;
• Provide individuals rights to access, correction, deletion and data portability.
• Limited applicability to FTC-covered jurisdiction;
• Individual private right of action;
• Leaves state laws in place;
• Duty of loyalty/care; and
• Algorithmic impact assessments 

Consumer Data Privacy Act of 2019 

The CDPA was introduced by Senator Wicker and other Republicans. Its features are:

• Affirmative express consent from individuals prior to processing sensitive covered data
• Transparent privacy policies
• Reasonable data security practices
• Privacy/risk assessments
• Individuals rights to access, correction, deletion and data portability
• Preemption of state data privacy and security laws (except data breach notification laws)
• Duty of loyalty

House Energy & Commerce Committee Negotiated Bipartisan Discussion Draft

The bipartisan draft does not address the controversial issues of preemption and a private right of action, but it does include the following consensus points:

• New administrative unit within the FTC called the Bureau of Privacy to administer and enforce the law
• Establish a privacy program with designated privacy protection officers
• Provide individuals the right to access, delete and correct their information
• Abide by requirements derived from principles of data minimization and use limitation
• Implement reasonable security measures
• Registration requirements for “information brokers”

Algorithmic Accountability Act

This bill would authorize the FTC to create regulations requiring covered entities that use, store, or share personal information to conduct impact assessments of new and existing artificial intelligence and machine learning (AI/ML) “high-risk” automated decision systems (“ADS”) and information systems.

Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act 

The DASHBOARD Act was proposed by Senate Democrats. It would require data harvesters like social medial platforms to inform consumers and financial regulations of the data they are collecting and if the data is being leveraged by the platform for profit.

American Data Dissemination Act

Sponsored by Senate Republicans, the ADD Act seeks to protect both consumers and the innovative capabilities of the internet economies, placing much of the regulatory burden on the FTC.  It would restrict a provider from disclosing a user’s records, provide a user with the right to access and correct records maintained by a provider, establish practices for the collection and maintenance of records, and exempt certain small providers from the regulations’ requirements.

Social Media Privacy Protection and Consumer Rights Act of 2019

This Act is a bipartisan proposal that would grant individuals certain privacy rights. It would also allow covered entities to deny certain services if an individual’s request to opt out makes the service inoperable.

Privacy Bill of Rights Act

This proposal was introduced by Senator Market and would combine GDPR-like terms (including “consent prior to collection of personal information”) with the CCPA’s broad definition of “personal information.”

Data Care Act of 2018

This act would impose duties of care, loyalty, and confidentiality on online service providers with respect to processing and securing user data.

On International Privacy Laws

The Roundtable participants represented international jurisdictions, which made discussions on international privacy law particularly robust. Some were surprised by the following developments: privacy becoming a ballot issue; the lack of privacy knowledge outside the privacy industry; the lack of consistency in global approaches (which signals a road to extreme fragmentation); and the importation of GDPR standards all over the world, when some were of the opinion that we still don’t know enough about the GDPR’s implications.

GDPR

Regarding GDPR, some Roundtable participants were surprised by the use of data subject requests as backdoors to obtaining data, a development that was less surprising to our CEO given her background in cybersecurity. Others raised the various DPAs’ “schizophrenic” approach to enforcing the GDPR. Some explained the lack of harmonization as expected given the number of DPAs involved: 27. The overall sentiment is that it will likely take years to achieve the GPDR’s purpose of harmonizing data protection within the EU.

The German vs. Irish DPA controversy came up, of course. (The German DPA had likened Ireland’s approach to enforcing GDPR with the German automotive regulator’s go-slow approach on diesel emissions fraud.) Some participants commented that this behavior highlights the DPAs’ adolescent qualities: they are still growing into their new responsibilities as GDPR enforcers, versus mere local DPAs. It will take time to develop a common sense of ownership amongst the DPAs. The controversy also highlights the imbalance of responsibilities amongst the DPAs, with Ireland getting a huge bulk of it. While we know that it takes time to investigate complaints, it bears noting that the procedure for investigations is not harmonized by GDPR. Instead, it is governed by local law, and Irish procedural law is particularly complex. Someone noted that EU law could be triggered if the effectiveness of the GDPR is affected.

Other GDPR issues that came up included a possible adequacy status for California in light of the CCPA. And participants also commented that it looks like Model Clauses are staying for now.

Brazil

Brazil’s LGDP is largely modeled after the GDPR and takes effect later in August. We were surprised to hear that this has not stopped attempts at enforcement ahead its effective date, particularly on the requirement to conduct data protection impact assessments. Many were relived to see that the data localization proposal–supposedly prompted by US spying on the Brazilian president–was abandoned.

India

While India has historically followed the US’s sector-specific privacy model, its current privacy bill proposal was inspired by the EU’s GDPR. It is also inspired by China’s and Russia’s localization requirements. The inclusion of localization in the Indian privacy bill has garnered much pushback across the world. We learned India’s localization requirement is driven by protectionism, not surveillance (China) or populism (Canada).

The bill also includes the concept of digital sovereignty, which is a state’s right to ask for non-personal data, a term that remains undefined.

Canada

Canada’s approach to privacy cane be described as a balance between consumer protection (US) and human rights (EU). While a Canadian federal data breach law recently took effect in 2018, practitioners anticipate a comprehensive federal privacy law this year, to be followed by provincial versions.

On Hot Topics in Privacy

Some of the privacy hot topics that were discussed at the Roundtable include: AI/ML, facial recognition, data ownership, and brain-to-computer and brain-to-brain communications.

Regarding facial recognition, practitioners discussed its pervasiveness and ambient characteristics as the underlying challenges. The issue of government access to facial recognition data and the potential scope creep from initial use cases also came up as serious concerns. Two of the most pressing challenges raised were biased data and biased algorithms, particularly the explainability and justifiability of the resulting decisions made.

On the emerging technologies involving brain-to-computer and brain-to-brain communications, practitioners raised the issue of free will and the possibility of manipulation. The FPF’s draft paper on brain-to-computer communication came up as a potential resource on this nascent privacy issue.

In discussing these hot topics, the question of ethics–specifically whether privacy practitioners need additional training on ethics–also came up. Practitioners also highlighted the FIPPs’ inadequacy in handling these cutting edge issues.

---

The Roundtable provides a forum for privacy leaders to share insights, resources, and solutions to today’s most pressing privacy problems. Its agenda builds in ample time to both (re)connect with other privacy leaders (in addition to the kickoff reception, it included lunches, cocktail hours, and dinners) and time to catch up on work (sessions ended at 2 or 3 pm and the networking didn’t restart until 6pm). There are no sales pitches or vendor booths, although firms and vendors are able to sponsor the event. It is also usually held at the Four Seasons in Miami in February, which is not a terrible location for a privacy conference. With its unparalleled content, attendees, and location, it’s not a surprise that privacy leaders pick it as the one event to go to.

For Data Privacy Day this year, we want to highlight one of our fundamental beliefs at PIX: trustworthy privacy practices are good for business.

Privacy is not just a compliance checkbox. Privacy practitioners traditionally have had to make the argument for privacy in the negative: if we don’t have good privacy practices in place, we will get breached, fined, or sued. After all, good privacy practices can save your company a fortune in compliance costs. Remember, we are living in the age of GDPR penalties of up to 4% of annual global revenue, FTC $5 billion dollar fines, and $1.4 billion dollar breach costs. (And before you bring up the counterpoint of how Facebook and Experian can afford these hefty numbers, ask yourself this: can your company?)

Moreover, the traditional “stick” gets old fast, which is why we prefer diversifying our privacy toolbox with “carrots.” Beyond its baseline compliance function, privacy can also differentiate your company from its competitors, help you increase your bottomline, help you unlock the value of data, save you a fortune in enforcement and privacy incident response costs, and provide your company an opportunity to do right by your customers, users, employees, and partners. 

Depending on your audience—your CEO, your Board, your product team, your marketing team, or your shareholders—the following points could help you make the case for privacy within your company.

1. Privacy is a competitive differentiator

Done right, privacy can be used as a competitive differentiator and can propel your company as a leader worthy of its customers’ and users’ data. We’ve seen this strategy deployed by Apple and Microsoft for years. 

Even newer tech companies are starting to catch on. At last year’s TechCrunch Disrupt, Snap CEO, Evan Spiegel proclaimed Snapchat’s privacy advantage over Facebook while being interviewed on the main stage, “[I]f you look at Snapchat, the inventions that we create around ephemerality, around privacy, those have really motivated Facebook to dramatically change their product offering in order to compete.”

And let’s not forget the hottest product at this year’s Consumer Electronics Show (CES). You guessed right: privacy. 

So why the sudden jump on the privacy bandwagon? Because similar to good privacy practices creating a competitive advantage, the other side of the same coin reveals bad privacy practices tarnishing your brand reputation.

Privacy Pro Tip: The “competitive advantage” argument for privacy generally resonates with leadership and strategy-minded audiences. Remember it the next time you’re stuck in the elevator with your CEO or brand strategists.

2. Privacy affects your bottomline

Talk to any company that is in the business of selling a product that processes personal data and you will hear a common observation: their customers are increasingly demanding privacy and are starting to make buying decisions based on it. This wasn’t always the case, particularly in the B2B context.

But with the rise of data privacy laws, companies’ responsibilities over their vendors’ data privacy and security practices have increased in turn. Leading up to the EU’s General Data Protection Regulation’s (GDPR) compliance deadline, companies underwent the painful ordeal of going back to many of their vendors and retroactively negotiating a Data Processing Agreement (DPA) to cover the required privacy and security obligations. The same was true, but to a lesser extent, for the California Consumer Privacy Act (CCPA). 

While privacy agreements are not new (we’ve had them for Model Clauses and under HIPAA for years), their effect on a company’s bottomline have never been more clear. Cisco’s 2020 data privacy benchmark study found that 87% of companies last year experienced sales delays related to privacy, with an average delay of 3.9 weeks last year and 4.2 weeks this year. What we find most noteworthy is that these sales delays correlate to the maturity of a company’s privacy program: the less privacy you have in place, the longer the delays. And according to the same Cisco study, for every $1 an organization spends on privacy, they receive a $2.70 return on investment.

In the B2C context, we’ve seen several brands cite privacy as a reason to shelf a product (Google Glass) and lay off its workforce due to slow growth resulting from privacy concerns (23andMe).

Privacy Pro Tip: You guessed right: Finance and Sales teams love hearing this point. They like to know that their company’s privacy investments make a financial difference. 

3. Privacy helps unlock the value of data

It may sound counterintuitive, but good privacy practices can help your company unlock the value of data. And quite the value it holds. (We are now all familiar with The Economist’s proclamation of data as the world’s most valuable asset, surpassing oil.)

So how exactly does privacy help here? With appropriate privacy practices in place—such as transparent disclosures, solid legal bases for processing, and Privacy by Design—companies can proceed to innovate and unleash the value of data without facing the potential privacy backlash. This is particularly true when developing or deploying data-dependent technologies like machine learning or artificial intelligence (ML/AI) or data-reliant strategies like digital marketing.

Privacy Pro Tip: This case for privacy is popular with Data Science and Marketing teams. Use it next time you find yourself having to explain why you need to roll out certain GDPR or CCPA requirements before processing data.

4. Privacy provides a market opportunity to innovate 

For those in the tech industry, privacy tech is on the rise. In the preceding months alone, we saw B2B privacy tech players, OneTrust raise a $200 million Series A round and BigID a $144 million Series C. 

In the consumer context, there is an increasing number of privacy tech startups from founders who recognize existing privacy problems and see the opportunities behind them. Jumbo Privacy, for example, is a privacy assistant that empowers users to take control of their privacy and security.

And while technology is neutral, we haven’t always done a very good job at designing it for the good, or at least to protect our privacy. But this is changing, not just because of these emerging privacy tech startups. We’ve also seen Big Tech companies forced to recognize and prioritize their users’ privacy. As an illustration point, Google recently announced that it will phase out third party cookies on Chrome.

And even if your company isn’t in the tech industry, this opportunity to innovate could translate to new features or product offerings for your company. Any company that collects data from its customers and users has the unique opportunity to offer a solution to them to solve their privacy pains.

Privacy Pro Tip: This point resonates well with investors and engineering and product teams. It’s particularly helpful when having Privacy by Design and privacy engineering conversations with engineering and product teams.

“Privacy is rife for innovation. To take advantage of this opportunity, we need to diversify our privacy toolkit … provide more carrots, not sticks.”

-Lourdes Turrecha, CEO, PIX LLC, 2019 NCSA Data Privacy Day Livestream

5. Privacy is the right thing to do

Even if your company can afford to set aside the money for privacy violations as a cost of doing business, recognize that we are also living in the age of—to quote HBO’s Silicon Valley and for lack of a better description—tethics. 

Gone are the days of moving fast and breaking things or, more aptly in the privacy space, collecting all the data, all the time. Potential users, business customers, partners, and employees alike want to know that they’re engaging with a trustworthy company. Can your brand be trusted to do right by us with our data?

Privacy Pro Tip: Board Members, Corporate Social Responsibility (CSR), and Legal teams particularly appreciate ethics-based points like this. It could also work with any tethically inclined audience.

Next time you find yourself in a position to have to make the case for privacy within your company, we suggest diversifying your toolkit by making one of the above points, depending on your audience. If you have your own unique points for making the business case for privacy, we’d love to hear them. Please feel free to share them with us by sending us an email at socials(at)pix(dot)llc, by tweeting us at @PIX_LLC, or by commenting on this post.

What is the CCPA? 

The CCPA regulates the collection, use, and disclosure of personal information relating to an individual. It entered into effect on January 1, 2020. 

We have the CCPA because California legislators passed a bill to avoid activist Alastair Mactaggart’s ballot initiative. Mactaggart agreed to withdraw the initiative if a law was passed by a certain deadline.The Last year, CCPA went through numerous proposed amendments, some of which the Governor signed into law in October. In addition to the amendments, the Attorney General issued long awaited proposed regulations. (The CCPA requires the Attorney General to solicit broad public participation and adopt regulations.) Privacy practitioners have weighed in on the proposed regulations in a series of public hearings and comments, but we are still awaiting the final regulations and expect clarifying changes.

Who is subject to the CCPA?

The CCPA applies to a business that meets one or more of the following:

1. generates gross revenues of more than $25 million per year globally; 
2. obtains the personal information of at least 50,000 California “consumers”, households, and/or devices per year; OR
3. derives 50% or more of its annual revenues from “selling” consumers’ personal information.

What does the CCPA protect?

The CCPA protects consumer personal information. A consumer is defined as a natural person who is a California resident. Personal information is defined broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.” But as clarified by one of the amendments, personal information does not include publicly available information. 

What are the law’s main requirements?

1. Transparency

The CCPA requires businesses to provide transparent disclosures, including:

• Publishing a clear and understandable privacy notice
• Providing a list of the categories of personal information that the business has collected about consumers, sold about consumers, and/or disclosed about consumers for a business purpose in the preceding 12 months
• Providing information about a consumer’s CCPA rights
• Making the notice available, before or at the time of collection
• Providing a clear and conspicuous link on the homepage titled “Do Not Sell My Personal Information,” which links to a section of the privacy notice that provides the required disclosures

2. Consumer Rights

The CCPA provides rights for consumers, similar to those under the EU’s General Data Protection Regulation (GDPR). Before complying with a request, a business may require authentication of a consumer that is reasonable in light of the nature of the personal information requested, and if the consumer maintains an account with the business, the business may require the consumer to submit the request through that account. These rights are as follows:

• Access – Consumers have the right to request that a business disclose to the consumer the categories and specific pieces of personal information that the business has collected. 
• Deletion – Consumers have a right to request that a business delete any personal information which the business has collected from the consumer. Note that the deletion right relates to personal information “the business has collected from the consumer” while the access right relates to personal information “the business has collected.”  The deletion right is subject to specific exceptions, including a security, to complete a transaction, free speech, ECPA compliance, research, and legal compliance.
• Sale/Disclosure – Consumers have the right to request (but not automatically receive, as clarified by an amendment) that a business that sells the consumer’s personal information or discloses it for business purposes, disclose the categories of personal information that the business collected about the consumer; the categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal data was sold, by category or categories of personal information for each third party to whom the personal information was sold; and the categories of personal information that the business disclosed about the consumer for a business purpose. 
• Opt-Out of Sale  – Consumers have the right to direct a business not to sell the consumers’ personal information to a third party. A third party also has obligations not to sell consumer personal information that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out. A business may request opt-in after 12 months.
• Portability – Consumers have the right to obtain their personal information in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit the information to another entity without hindrance. 

3. Operations

The CCPA various includes various operational requirements, including maintaining records of data sharing and establishing procedures to respond to requests from consumers. A business also needs to make available to consumers two or more designated methods for submitting requests for information, including, at a minimum, a toll-free telephone number. But a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address for submitting requests for information required to be disclosed (instead of a toll-free number).

4. Contracts

The CCPA requires businesses to include contractual terms with service providers and third parties that process personal information. Failure to include these terms exposes the business to liability for the the recipient’s CCPA violation. Because “sale” is defined broadly to include transfer of personal information to a third party for any valuable consideration, additional obligations may apply on the business. 

Are there any notable exemptions? 

The CCPA includes notable exemptions for information already governed under certain privacy laws, such as the Confidentiality of Medical Information Act (CMIA), the Health Insurance Portability and Accountability Act (HIPAA), and the FDA’s Federal Policy for the Protection of Human Subjects (the Common Rule).

There is also the long-anticipated one-year exemption, which will expire on January 1, 2021, for personal work-related information. This includes information that is collected by a business about a natural person in the course of the person acting as a job applicant, an employee, owner, director, officer, medical staff member, or contractor of that business. These individuals retain their right to bring a private action for a data breach and their rights to be informed of the categories of personal information to be collected and the purposes for which the categories of personal information shall be used by the business.

What’s the risk?

Beyond the brand reputation risks that bad privacy practices pose, the CCPA creates new potential financial liability. The California Attorney General has enforcement authority and may assess civil fines, with a maximum of $2,500 per “violation” and $7,500 for each “intentional” violation. That said, the Attorney General cannot bring an enforcement action under the CCPA until July 1, 2020.

In addition, the CCPA allows consumers to sue in the event of a data breach, with minimum statutory damages ($100-$750 per affected California resident) for failure to maintain “reasonable” security standards. Given the class action implications in the United States, this privacy right of action presents a significant change in risk profile. Class action litigation could be more costly than the Attorney General’s enforcement actions.

---

If you found this post helpful or if you have any questions on how to tackle your CCPA strategy, planning, or implementation, please do not hesitate to reach out. We will be releasing more content in our upcoming CCPA series posts.