The pace of change for privacy regulations shows no signs of slowing in 2022 or in the years ahead. The patchwork of state-level laws in the US will present a daunting compliance challenge for communication professionals, not only for corporate communicators but PR pros in firms, those they represent and their businesses.
Below we offer a brief update on recent changes and what is ahead. As we've said previously, the views here are mine and do not constitute legal advice–which is good, because I’m not a lawyer. We suggest consulting a lawyer about issues you read here.
As many of you will recall from my previous articles (you read them, right?) the US stands nearly alone as a major economy without a universal privacy law. Our approach is sector-specific and based on what type of data and institution uses the data. Think banks and Fair Credit Reporting or doctor’s offices and HIPAA.
A Slow Process in D.C.
Though the Federal Trade Commission (FTC) now has a three-to-two Democrat majority, its attempts at crafting privacy regulation will be time-consuming (we’re talking years) and fraught with litigation, though there's some hope. Still, let's not forget privacy is just one of many things on the FTC’s regulatory plate.
(Remember that TikTok influencer you employed who did not disclose in her video that she was paid? The FTC may want a word with you, but that's for a future article).
To fill the privacy vacuum, states are stepping in, starting with California. Each state has its own differences in scope and rights to make compliance an even bigger headache–and really expensive if done wrong.
Since California enacted the nation’s first state-level privacy law, let’s start there for updates.
By now all of you should be familiar with the California Consumer Privacy Act, or CCPA (privacy professionals love acronyms). The CCPA gave California residents a variety of rights over their data, including the right to:
- know what data a company holds
- have their data deleted and
- opt-out of the sale of their data, among other things.
CCPA's time is coming to an end with the enactment of the California Privacy Rights Act (CPRA). In November 2020, voters approved the CPRA, which will expand the rights conveyed under CCPA with three very important areas that deserve attention.
First, the new law transfers the enforcement of the law from the state attorney general to the California Privacy Protection Agency. This new agency is charged with writing and implementing regulations for the new law and imposing fines for violations.
The effective date is January 1, 2023, with a 12-month look back. Sadly, the agency has confirmed those very important regulations will not come out until later this year. As a result, companies will have a very short time to become compliant.
Two other areas to consider are the change in the opt-out of sale that will also include the opt-out of sharing data, which has a very broad and inclusive definition.
For instance, if you share data with another company, even if you don’t get paid for it, you may have to offer consumers the chance to opt-out of that sharing. Again, regulations on this would be useful sooner rather than later but that is not going to happen.
And finally, the CCPA exempts employer/employee data from the rights granted under the law but that sunsets and CPRA would apply. What does that mean for communicators? Unless the new law is amended, and it may be, if you have employees in California, then they can start asking you questions about what data you have on them, how you use it and where it goes. This could get messy.
More States in the Mix
California is leading the way at the state level, but others are adding to the patchwork of regulations requiring robust compliance planning. Virginia, Utah, Colorado and Connecticut have passed data privacy laws that go into effect within months. They are somewhat similar on data-subject rights, but vary in subtle ways according to:
- who is within scope of the law
- who is exempt and
- how long companies have to respond to requests, etc.
And not to be outdone, as we write, North Carolina is considering a data privacy law, but this one has a twist that should worry all of us: a private right of action for privacy violations not related to data breach.
Earlier this year, Florida considered a similar law and it failed. Let’s hope North Carolina is dissuaded. If not, it opens the possibility for a lot of litigation and fines (and plaintiffs’ attorney fees).
A Useful Resource
Thankfully, there is a resource to help you track these and other forthcoming laws through the International Association of Privacy Professionals (IAPP). If you do not have a privacy professional monitoring legislation for you (and we recommend you do), visit: US State Privacy Legislation Tracker (iapp.org). It offers an overview of what’s in effect at the state level and regulations likely coming down the road.
But a word of caution: though regularly updated and quite useful, this chart is not a replacement for a privacy professional familiar with regulatory compliance.
In European Union (EU) developments, those of you who do business or represent businesses there and are looking to move data more easily between the two markets faced a mixed situation. You have reason for hope, tempered with continued concern.
Hands Across the Water
The Biden Administration, in partnership with the European Commission president, announced a Trans-Atlantic Data Privacy Framework to facilitate freer movement of data between the markets. The earlier data transfer mechanisms were struck down in court, leaving international businesses with limited options.
Though the details are yet to come on the new agreement, both sides are hopeful that this mutual pact will lead to improvements. That said, Max Schrems, the lead plaintiff in the two cases that struck down the previous agreements, and his advocacy group nyob, issued an open letter voicing strong concerns about the proposed framework. The proposal does nothing to change American surveillance laws and protect data of EU citizens who've moved to the US, the letter says.
In his letter, Schrems issued a warning that “the announced framework risks sharing the same fate as its two predecessors in front of the Court of Justice for the European Union unless substantive (legislative) reforms are conducted in the United States.”
In other words, don’t fire up those data-transfer engines yet–this could take a while.
The Irony of China
And no update on privacy regulations for communicators would be complete without mentioning the new law in China. The irony is readily apparent that a one-party surveillance state has a privacy law.
This law, the PIPL, imposes serious restrictions on transferring personal data out of China. If you or a client are thinking about data transfer, in most cases Chinese cybersecurity authorities must evaluate you to make sure sensitive information is not moving and that you can keep the data secure.
We leave it up to you if you feel comfortable letting Beijing poke around your cybersecurity programs.
This update clocks in at more than 1,000 words, but is in no way complete. It would take a lot more to cover all the topics regularly changing in privacy regulations that could touch your company, including the new EU Digital Services Act, what the UK might do with its privacy law post-Brexit and possible changes coming in Canada and Brazil. The list goes on and on.
Stay tuned for more because in this global economy data is indeed the new oil and most governments are still playing catch up to regulate the data well. Guess I’ll have to write another update soon.
Stephen Payne is VP, public affairs & privacy, Feld Entertainment