Background and Introduction
Over the past four years, U.S. companies have been forced to expand their compliance programs to comply with an expanding array of international and U.S. state privacy laws. The wave of privacy laws began in May 2018, when the General Data Protection Regulation (GDPR) became effective, triggering new compliance obligations for U.S. companies with operations in the European Union. On the heels of the GDPR, other countries passed or expanded new privacy legislation, further expanding the scope of privacy compliance for U.S. multinationals.
In the U.S., there has likewise been a creeping expansion of state privacy laws, including with the passing of the California Consumer Privacy Act (CCPA) in 2018, becoming effective in 2020, and the Virginia Consumer Data Protection Act (VCDPA) in 2021.
In November 2020, California voters approved via ballot initiative, the California Privacy Rights Act (CPRA), which significantly expands on the CCPA and introduced a number of GDPR-like privacy concepts as well as some entirely new legal obligations. In March 2021, the Virginia legislature passed the Virginia Consumer Data Protection Act (VCDPA), which incorporates many of the same concepts as the CPRA, but varies in enough ways that compliance with the CPRA does not necessarily entail compliance with the CPRA. Other states have since passed smaller less comprehensive privacy laws.
However, numerous other states have proposed, but ultimately failed to pass state privacy laws. The Washington Privacy Act (WPA) has now failed three consecutive years, foundering on the issue of a private right of action – a common point of disagreement in many state legislatures. Due in part to a lack of a federal privacy law – various proposals continue to stall due to disagreements over enforcement and pre-emption – it is very likely that U.S. states will continue to propose and consider privacy legislation.
The dilemma for U.S. multinationals is how to manage compliance with the growing patchwork of state and international privacy obligations. If privacy law was a Venn diagram, the GDPR would form the outermost ring, with the CPRA, CCPA, and VCDPA fitting within the GDPR in loosely concentric circles. But there is enough variance between these laws that simply complying with the GDPR would not be sufficient for companies subject to all these laws.
Recommendations for Managing Compliance
How then should U.S. companies, particularly media companies and digital platforms/technology companies, that may be subject to multiple overlapping privacy laws manage compliance?
Initially, companies should determine what laws actually apply to them. There are differing thresholds for compliance under the Virginia and California laws (to say nothing of the GDPR). Assuming a company hits a threshold trigger for compliance, the next question is the extent to which the company can avail itself of exclusions, particularly exclusions for employees and B2B transactions. After scoping the areas of data subject to privacy laws, companies should next determine the extent to which their obligations will vary under applicable laws. Raising the question of whether companies should strive for compliance with the most restrictive law where privacy laws overlap or address compliance at the state level?
Some of the core compliance projects that companies may need to pursue include (1) data mapping – in particular mapping sharing activities, profiling, high risk activities, and characterizing vendors; (2) revising record retention programs to address new data minimization requirements; (3) revising vendor contracts; (4) assessing opt-out and consent requirements, which maybe a very granular analysis; and (5) assessing the extent to which the company can avail itself of any legal exemptions from privacy obligations.
Issues that companies should continue to monitor include: the status of rule-making in California – which is likely to significantly impact operations decisions – likely revisions to the VCDPA; the passage of additional state privacy laws; changes in behavioral advertising models that may or may not trigger the need for opt-outs; and the adoption at the corporate level of new automated technologies involving consumer data that may constitute profiling.
The full article in its original form can be found here.
Philip Yannella (LAW ’97) is a partner at Ballard Spahr in Philadelphia, Pennsylvania. He is the Practice Leader of the firm’s Privacy and Data Security Group and the firm’s E-Discovery and Data Management Group. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.
Kim Phan is a partner at Ballard Spahr in Washington, D.C. Phan is a privacy and data security lawyer who counsels companies in various federal and state privacy and data security statutes and regulations.
Greg Szewczyk is a partner at Ballard Spahr in Denver and Boulder, Colorado. Szewczyk assists companies in assessing risk and complying with the ever-expanding patchwork of state, federal, and international privacy and data security statutes and regulations.