2019 will be remembered as the year we still tried to figure out how to get the GDPR right, we spent time trying to understanding what “sale” will mean under CCPA, and we went through about two data breaches a day. Will next year be more of the same?
The CCPA will come into effect on Wednesday, and we basically know what the rules are now, although, if the privacy notices are any indication, a lot of companies still have no idea whether they sell information as that term is defined in the statute.
Late this year we got the first draft of the latest pretty serious attempt at legislation on the federal level. Senators Cantwell, Katz, Klobuchar and Markey co-sponsored the Consumer Online Privacy Rights Act (COPRA)
for those playing
COBRA: insurance lol
CPREA: new calif privacy
COPRA: cantwell bill
— Tony Romm
COPRA looks quite similar to the California Bill, except for the omission of any kind of an opt-out right (more on that in a minute). It would apply to larger companies who collect information on about 30,000 or more persons. It would apply to all information that reasonably identifies a person, and medical, biometric, DNA, and religious/political information (and also nude photos, thank heavens) would be considered “sensitive.” It would give consumers rights of access and correction, and a fairly straightforward (“the covered entity SHALL”) right of deletion. One new provision is that consumers would have to consent to any changes to a processor’s privacy notice that would weaken the consumer’s privacy rights.
Outside of that, the list of prohibited activities is pretty limited. It imports the prohibitions against unfair and deceptive practices from Section 5 the FTC Act, and includes prohibitions against any actions which cause “financial, physical, reputational, or other substantial injury” to an individual. It also introduces “intrusion into seclusion” language that strikes this reader as inviting litigation. Since it is in the news almost every day that we are being tracked everywhere and our neighbors Ring cameras are catching us every time we’re on the sidewalk, is intrusion into our iPhones still “offensive to a reasonable person”? (I realize that I have just waded into some pretty vast 4th Amendment issues here that I am in no way equipped to discuss – I’m only thinking about civil privacy torts).
The legislation as drafted does not preempt the California law and its opt-out regime for the sale of information. This may be the biggest stumbling block towards passing anything resembling this draft. Especially as more and more states start to take up the issue, the argument from data processors is that without preemption, the federal legislation just becomes another law with which to comply. It’s not a meritless argument. In fact, there is a competing bill from Senator Wicker that would preempt all state laws occupying the privacy field. (Whether a federal law can preempt state laws that offer greater rights is a question for another day). On the other hand, Californians and any other Americans who acquire the right to opt-out before federal legislation gets passed are going to be none too pleased at having that right suddenly taken away.
So in 2020 we will watch the feds, we will watch the other states, and we will see how the California law plays out. We will also see how, if at all, these new consumer protection laws stack up against the corporate surveillance state in which we find ourselves, since not a single one of these legislative attempts allow us to opt-out of having our information collected in the first place. Oh, and we’ll also see if the EU Court of Justice ends up killing Privacy Shield . . .
Happy New Year!