How the CCPA is impacting corporate information management
Legal experts predict the California Consumer Privacy Act could lead to a patchwork of varying privacy laws in the U.S.
Legal experts are seeing a shift in the way companies are approaching privacy management since the Jan. 1 2020 enactment of the California Consumer Privacy Act (CCPA).
They say the date essentially saw the birth of “a new privacy-first approach” in the U.S.
“The whole argument was [that] you can’t have a privacy law on the state level,” says Husch Blackwell partner David Stauss. “That argument is gone.”
Stauss shared these insights as part of a panel titled “Understanding CCPA & U.S. State Privacy Regimes” during Legalweek 2020 in New York. Panelists discussed how the CCPA could lead to a variety of privacy laws in the U.S.
Even if some states don’t enact privacy laws, panelists said the CCPA could prompt corporations to launch similar privacy protocols for all U.S. citizens.
In the wake of the CCPA, some large tech and social media companies have announced their desire for a nationwide data privacy standard. Stauss said these players want a federal data privacy law that preempts state law and doesn’t include a private action penalty.
For now, many companies that fall under the CCPA’s scope, including Microsoft, may decide to extend CCPA-similar privacy rights to non-Californians to improve security protocols and branding.
“Optically, it looks bad if you are only giving privacy rights to a subset of people,” noted panelist and Venable partner Shannon Yavorsky.
Suffice to say, the adoption of widespread data privacy practices is greatly motivated by governmental regulation, and lawyers say it’s more likely additional states will enact a data privacy law before the federal government. Noting all states’ data breach notification laws; Illinois’, Washington state’s and Texas’ biometric laws; the CCPA; and New York State Department of Financial Services’ cybersecurity requirement, Stauss said states are taking the initiative in regulating data privacy.
The panel highlighted over eight states that have introduced data privacy legislation recently. The states’ proposed laws vary, from Washington state’s General Data Protection Regulation-lite approach to other states’ moves to mirror the CCPA and those with proposals are a GDPR and CCPA mix.
Though the bills vary, they all share a common theme, the panel said. Notably, all the proposed laws provide residents with a “right to opt-out of sales,” with the definition of sale differing per proposed legislation, Stauss explained.
Related: