I spoke last week to a group of executives and lawyers interested in what is happening with state privacy laws. California's comprehensive law, the CCPA, took effect in 2020 and will be "upgraded" in 2023; Virginia has now passed a similar law that will take effect in 2023; and there are currently about 20 state privacy bills pending across the country. After we discussed the issues these laws raise for corporate compliance, I received several good questions. Here are my thoughts on three of those questions:
Q: What is "reasonable" security for private, regulated information about an individual, as is now required by the CCPA?
A: This is likely to depend on the nature and amount of information the company holds, as well as how large the company is (and therefore the resources it has available), and how important that personal information is to the company's overall business. A small B2B manufacturer of plastic packaging is likely to have a lower burden to show "reasonable" efforts to protect consumer information than is a large B2C company that provides a healthcare app, for example. There is no definitive test, yet; and not enough litigation to know how the U.S. courts will view the issue, but this issue is likely to be very fact-dependent.
Q: Will the U.S. ever have a federal privacy law?
A: Probably, someday, but not likely soon. Our current Congress is simply too divided and too busy to do anything before the 2022 midterms. If state laws continue to proliferate and cause a compliance headache because they differ so widely, it is more likely that Congress will act. I don't think Congress will be able to agree on such a complicated and technologically-demanding topic without quite a lot of education, however.
Q: What are best practices for a small or medium sized business that may become subject to new state-level privacy laws?
A: First, understand that privacy laws are very likely to apply to you in the coming years, even if you are not a B2C company. You may be directly regulated by a new state law; but even more likely, your customer agreements are almost certain to require you to comply with these new laws. Be prepared to answer customer questions about how you secure data (both with technology and through your policies and procedures, such as using role-based access) if you are a service provider to large commercial customers. Document your security procedures and policies, and train employees on them. Be sure that you understand the time-tables and procedural requirements that apply to you if you get a consumer data access request or if you suffer a data breach. Know that your IT and security planning must account for any duty you owe to third parties either under a state privacy law or because a customer contract passes that obligation on to you.
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-02-06-16-16-46-327-65c25b6e9e14f56dc129e31c.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-04-25-13-20-13-103-662a588d0a007d32978e51c8.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-04-22-14-46-40-757-662678501f76e96e68653bb3.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-04-24-13-56-34-707-66290f92521e45eda26baa15.jpg)