Data privacy considerations and concerns are affecting all our lives on a daily basis. We see the impacts in stories about data breaches that result in exposure of personal data for thousands or even millions of individuals and stories about the amount of data that companies like Facebook, Amazon, and others possess about us and how they’re using that data.
As much as data privacy impacts us as individuals, it impacts organizations as much or even more. Data privacy compliance requirements are driving changes across numerous business functions, including those associated with legal technology. Additionally, data privacy requirements are frequently changing and organizations are having to frequently “hit moving targets” when it comes to data privacy compliance requirements, especially when they have data about individuals throughout the U.S. and the world.
Recent Data Privacy Trends for Europe and the US
To illustrate how much data privacy requirements have changed in the past few years, let’s look at Europe and the U.S.:
The General Data Protection Regulation (GDPR) was passed in May 2018 to protect data privacy rights for citizens of the European Economic Area (which is even larger than the European Union as it adds three additional countries not part of the EU – 31 countries in all). It’s stronger than the 1995 European Union Directive it replaced in that it demands, not requests, data privacy compliance.
And fines for failing to comply can be huge: up to 4 percent of annual revenue or 20 million Euro, whichever is greater. As an example, Amazon was recently assessed a fine of $887 million under GDPR for data privacy violations. While a fine of that size may seem like a lot, 4% of Amazon’s annual revenue last year ($386 billion) is $15.44 billion, so it could have been a lot worse!
While 31 countries within Europe can agree on the same data privacy legislation, it seems as though the U.S. can’t even get more than one state to agree on the same legislation to protect its citizens. Progress is slow as only three states have currently approved comprehensive privacy laws to date (one of those has already passed a second law to replace the first law).
The International Association of Privacy Professionals (IAPP) has a State Privacy Legislation Tracker page that keeps track of the status of the various states regarding their efforts to pass a comprehensive data privacy bill – it’s a terrific resource to keep up-to-date on states’ efforts to pass data privacy legislation. Here are the states that have passed laws to date:
- California: The California Consumer Privacy Act (CCPA) went into effect January 2020 and it hadn’t even lasted a full year before Californians voted to replace it with the California Privacy Rights Act (CPRA). The CPRA significantly expands the data privacy rights of consumers over what the CCPA covers and will replace it in January 2023.
- Virginia: Earlier this year, Virginia passed the Consumer Data Protection Act (CDPA or VCDPA), which is designed to provide similar protections to what CCPA offers, but with some differences, including a controller/processor approach similar to GDPR as opposed to California’s business/service provider approach.
- Colorado: And, in July, Colorado passed the Colorado Privacy Act (CPA), which follows a similar approach to the VCDPA, but also has differences and is somewhat broader than Virginia’s law.
In addition to those three states, Massachusetts, Minnesota, New York, North Carolina, Ohio, and Pennsylvania have active bills being considered by their legislatures. However, just because the bills are active doesn’t mean they will become law – 16 states have failed to pass data privacy bills in recent years. The landscape is continually changing within the U.S. and organizations must be prepared to change with it.
Will we see a data privacy legislation at the federal level someday soon? Perhaps. Back in July, two senators introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act, designed to provide Americans with more choice and control over their data and direct businesses to be more transparent and accountable for their data practices. The bill would also enhance the Federal Trade Commission’s (FTC) authority and provide additional resources to enforce the Act. There’s a long road ahead for approval, but it’s a start.
Data Privacy as a Driver in Legal Technology
As a result, the data privacy landscape is continually changing and is expected to do so for some time. But data privacy is already driving changes across several legal technology related disciplines, including:
- eDiscovery and Litigation: Data privacy requirements are changing discovery and litigation workflows and even creating new workflows specifically to support data privacy requests from individuals.
- Information Governance: The importance of identifying Personally Identifiable Information (PII) within an organization has helped propel information governance to a new level of importance within organizations.
- Cybersecurity: Because of data privacy compliance requirements, the stakes are higher than ever to protect sensitive data of individuals and there are legal and ethical requirements to notify customers about data breaches.
- Contract Management/Analysis: The importance of understanding contractual obligations with respect to data security and data breach is significant as well as the ability to respond to incidents in an agreed upon time frame.
Just about any organizational discipline that deals with data has data privacy considerations today and continually changing data privacy requirements are driving changes across the legal technology landscape. Next time, we will dive into some of the changes that data privacy is driving for eDiscovery and litigation. Stay tuned!
For more regarding Compliance specialized expertise in a variety of disciplines, click here.