This What the Tech? article focuses on the rapid proliferation of state consumer privacy laws and features WBD Privacy and Cybersecurity Team Chair Tara Cho, WBD IP Transactions and FinTech Teams Leader Ted Claypoole, and Kathryn Farrara, Associate General Counsel and U.S. Data Protection Officer at Unilever.
The modern era of data privacy changes began in May 2017, when consumer credit report company Equifax was hit with a data breach that exposed the personal information of approximately 147 million people. In response, states amended data breach laws, new data security laws and the more recent omnibus consumer privacy laws, all while the European Union General Data Protection Regulation (GDPR) became effective in May 2018 and the California Consumer Privacy Act enacted a month later in June 2018.
Cho said the Equifax breach led to “a shift from reactionary lawmaking—what happens in response to a data breach—to a more Eurocentric, proactive approach to protecting consumer privacy rights.”
Following the California referendum, Colorado, Virginia and now Utah all have approved similar consumer privacy laws.
“The rate of change has dramatically increased,” Farrara said. “It took 15 years to get to a place where every state had enacted a data breach law, but almost every state has proposed a privacy law—and four have passed.”
Claypoole said that rate of change is only going to speed up, as privacy is on the minds of lawmakers and businesses. Also, the Uniform Law Commission has a uniform suggested omnibus privacy law. This resource makes it easier for state lawmakers to create new legislation.
“I think you may see even more change in the next five years,” Claypoole said. He said these changes will continue to happen on a state level, as political differences in D.C. will make it difficult for Congress to agree on a national privacy law.
California, Colorado, Utah & Virginia Enact State Privacy Laws
The four new laws are similar in their approach to consumer privacy. They all grant consumers the right to access, correct, delete and transfer personal data (and California, Colorado and Utah add the right to know). All four also give consumers the right to opt out of certain targeted advertising.
“These laws are more proactive,” Cho said. “They focus on ‘Do you have the right to do what you propose to do with the data? Did you obtain it properly? And do you have consent to use it?’”
So how should businesses respond to these rapid changes in consumer privacy law?
“This isn’t that different from a lot of crisis management that you may be involved in as in-house counsel,” Farrara said. Privacy has to be a whole-team effort ingrained in an organization’s culture. “It’s really hard to ensure you know everything that is happening all the time,” she said.
“These laws are more proactive. They focus on ‘Do you have the right to do what you propose to do with the data? Did you obtain it properly? And do you have consent to use it?’”
Claypoole said companies such as Unilever are wisely staying ahead of the shifting privacy landscape by implementing broad, comprehensive privacy principles, rather than dealing with customers on a state-by-state basis.
“That was easier when only California had this type of state privacy law,” Claypoole said. “But the more states that get added to this list, the easier it will be to do what Unilever is doing.”
And more states almost assuredly will join the list. Alaska, Arizona, Connecticut, the District of Columbia, Florida, Georgia, Hawaii, Indiana, Iowa, Kentucky, Maryland, Massachusetts, Minnesota, Nebraska, New York, North Carolina, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Tennessee, Vermont, Washington, West Virginia and Wisconsin all are considering comprehensive state privacy laws. Kentucky, Maine, Maryland, Massachusetts, New York and West Virginia also are debating biometrics privacy laws, while Virginia just passed amendments to the Virginia Consumer Data Protection Act (VCDPA).
State Privacy Laws: Enforcement, Penalties and Repercussions
The California, Colorado, Utah and Virginia laws all give their state’s Attorneys General the right to bring actions and seek significant civil penalties against violators:
- California— $2,500/violation or $7,500/ intentional violation or violations related to data of minors;
- Virginia— $7,500/violation. Alleged violators have 30 days to cure alleged violations;
- Colorado— up to $20,000/violation. Alleged violators have 60 days to cure alleged violations;
- Utah—$7,500/violation. Alleged violators have 30 days to cure alleged violations.
However, only California grants citizens a right of private action.
“The rate of change has dramatically increased. It took 15 years to get to a place where every state had enacted a data breach law, but almost every state has proposed a privacy law—and four have passed.”
But in addition to enforcement by state AGs, companies also face another serious potential consequence of a data breach or non-compliance with privacy laws—the loss of public reputation. Farrara says some executives respond more to the threat to reputational risk, while others are more responsive to the opportunity of building value by being sensitive to consumer privacy concerns. “Either way, we’re getting at the same thing, which is the reason our analysis isn’t just about complying with the law. Your reputation is on the line, as is consumer trust in you. It’s so easy to opt out.”
“This is a data economy, and we’re reaching the point where nearly every business should be looking at this as a broader policy issue,” Claypoole said.
Claypoole spoke of a “Cool vs. Creepiness” dynamic in using personal consumer data. While on one hand, using these types of advanced metrics can make a company feel cutting edge, many consumers are put off by what they feel is intrusive corporate behavior.
“At the end of the day, your business is made up of people who are consumers themselves,” Farrara said.
Cho said, “The reputational risk is so intertwined with the legal risk.” Often, regulators investigate after a consumer complaint or a data breach.
Companies need to make sure all teams within the organization are on the same page in terms of privacy compliance practices and standards. Building a broad base of support also can help companies better identify potential privacy issues before they become problems, Farrara said.
State Law Trends for 2023
Moving forward, there are two classes of data companies will need to protect—Personally Identifiable Information (PII) and “Sensitive Data.” The latter category includes:
- Racial or ethnic, origin, religious or philosophical beliefs, or union membership;
- Contents of emails;
- Biometric information, including health and sexual orientation;
- Genetic data; and
- Precise geolocation (a game-changer for mobile data).
State laws increasingly are moving toward protecting PII and Sensitive Data, and companies should prepare to ensure they can keep this information confidential and safe. But this can be challenging, not only from a compliance aspect, but from a technical side as well.
Claypoole said, “I think we’re going to see more and more laws that target specific aspects of privacy, such as geolocation and DNA.”
How Companies Should Respond to Changes in State Cybersecurity Law
It only takes a few high-profile data breach cases to get the attention of the C-suite. These cases directly impact how companies operate online and, thus, can have a far-reaching impact on companies’ bottom lines.
In addition, companies also have seen a rapid uptick in the number of cyberattacks (particularly from ransomware) in the last two years. The work-from-home and hybrid working environments created by the COVID-19 pandemic also created a greater footprint for attacks, due to more points of entry for attackers with perhaps less secure systems. The increase in cyberattacks, in turn, has led to a big increase in the costs of cyber insurance.
"This is a data economy, and we’re reaching the point where nearly every business should be looking at this as a broader policy issue."
So how should GCs advise their management teams moving forward? How do businesses respond to the growing number of states approving comprehensive consumer privacy laws?
“These are essentially consumer protection laws as it relates to businesses,” Claypoole said. “If you are leaning into the idea that you are going the extra mile to protect consumers, you are probably going to be fine—but you do need to look at the specifics of these new state laws.”
One risk is that in large organizations with many decision-makers, it can be difficult to ensure that all decisions meet the company’s privacy requirements. So Farrara said automation can help ensure that quality control is in place for a company’s privacy compliance program.
Also, businesses need to make sure a clear firewall exists between their operating technology and information technology. Companies need to ensure that their operations cannot be shut down through an email-based attack, as was the case with the 2021 Colonial Pipeline breach.
Other tips from Cho, Claypoole and Farrara include:
- Have a “Do Not Sell” link on the company’s website.
- Involve the company’s data security team with vendor negotiations if those vendors are to handle sensitive data.
- Make sure employee privacy and data protection training happens on a regular schedule.
- Get buy-in and support from the organization’s top leadership.
- Demonstrate competence. Companies don’t need to be perfect—they just need to show they are taking legitimate, good-faith efforts to protect consumer data.
This article is based on an April 5 Womble Bond Dickinson thought leadership series virtual event titled “What the Tech? Moving Targets While Under Fire – Aligning with New Data Laws While Hackers and Customers Bring Pressure”. The What the Tech? series takes a closer look at the disruption technologies impacting almost every sector and the challenges and opportunities they present for today’s business leaders.
For more insights, opinions and events on how innovation will drive industry in the near future, click below to visit our What the Tech? hub.