Landmark Data Privacy Legislation Serves as a Benchmark in a Rapidly Shifting Legal Landscape

Landmark Data Privacy Legislation Serves as a Benchmark in a Rapidly Shifting Legal Landscape

By: Kevin Bampoe

Almost everyone has experienced the phenomenon of being bombarded with advertisements on social media for something they were thinking about only moments before. Search queries in search engines such as Google, Bing, or Yahoo are used to generate content and advertisements on unaffiliated sites and platforms including Facebook, Instagram, Amazon, YouTube and eBay almost instantaneously. This seemingly mysterious ability for advertisers to know exactly what a consumer wants, and when they want it, relies on the Wild Wild West-like data privacy regulation landscape in the U.S. and a lack of policy and legislation aimed at safeguarding consumers’ interests. Tech companies gather, store, and even sell human behaviors and preferences, a business model which has generated billions of dollars in ad revenue. California believes enough is enough and that consumers have a right to own and control their data as well as hold companies responsible for protecting their data and liable for failing to do so.

Last year the General Data Protection Regulation (GDPR) went into effect August 2018 and with it a large number of data privacy-related requirements and high fines for failure to comply. Currently in the United States there is a mess of laws enacted on both federal and state levels targeting a certain industry, activity, or type of data but no comprehensive privacy regulation policy. With the enactment of the GDPR came a shift in data privacy regulation and the first major piece of legislation in the United States, the California Consumer Privacy Act of 2018 (CCPA). The GDPR has been highly regarded since its approval and serves as a wake up call to the industry. Its impact has already reached far beyond the EU indicating a shift in priorities and willingness to legislate to protect individual rights.

In June 2018 California Governor Gavin Newson approved the CCPA which the American Bar Association considers “the absolute toughest data privacy law in the United States.” The basic mechanism of this legislation is a consumers’ ability to make requests to any business making more than $25 million in revenue, that buys or sells personal information of 50,000 consumers or more, or derives 50% or more of its revenue from the sale of consumer personal information and under the Act. This would apply to companies both within and outside the state of California. These requests embody four basic rights of the legislation: the right to know which entails requesting and the disclosure of how their data is being used, who it is being sold to, the right to opt-out of allowing businesses to sell their personal information, the right to receive equal service and pricing from businesses as to prevent companies from utilizing consumer data for targeted pricing, and the right to ask that their data be deleted.

An example highlighting the need for legislation such as this is how Facebook users do not control the data which Facebook collects and then sells. Even after deleting your Facebook account Facebook retains the data collected, continuing to utilize and sell it for their own interests. This legislation will finally give users the ability to compel Facebook to disclose how their information has been used and with whom it has been shared, opt-out of having their data sold, to delete all of their information which has been collected and to bring litigation should Facebook fail to comply.

With the CCPA going into effect on January 1, 2020 experts are waiting to see how this will affect consumer data collection practices by companies and whether consumers will actually utilize this legislation. Not everyone is patiently waiting as there are 17 other states that have recently introduced their own legislation aimed at protecting consumer data privacy and using the CCPA as a framework.

In June, the Maine Act to Protect the Privacy of Online Customer Information was approved, which when effective will prohibit broadband internet access service from using, disclosing, selling or permitting access to personal customer information without the customers express consent. The New York Privacy Act requires companies to disclose their methods of de-identifying personal information, to place safeguards around data sharing, and to allow consumers to obtain the names of all entities with whom their information has been shared. Nevada, Pennsylvania, Massachusetts, Hawaii, and Maryland have also introduced comprehensive legislation and Texas is updating their current policy as well. While not identical to each other they share common principles, supporting the belief that this jurisdictional-based trend will continue to expand, leading to calls for a comprehensive national or even global approach to privacy.

This new wave of legislation isn’t the only sign of change on the horizon.  On September 4, 2019 Google settled complaints against them by the Federal Trade Commission and the New York Attorney General for failing to obtain parental consent in collecting data on kids under 13. Google agreed to pay $170 million in fines and to limit ads on kids’ videos, making it one of the most significant enforcement actions against a big technology company in the U.S. This represents policy makers’ focus on privacy and antitrust of big internet platforms that have enjoyed few regulatory constraints up until now.

Google isn’t the only recent target of the FTC for Children’s Online Privacy Protection Act (COPPA) violations with other companies including Facebook are under scrutiny for failing to acquire parental consent when dealing with minors. A popular app, TikTok, was fined $5.7 million earlier this year for similar claims of failure to obtain parental consent  prior to collecting names, email addresses, and similar information from children under 13. This is not the first time complaints such as this have been settled with the FTC. Back in 2014 Google settled with the FTC for its failure to obtain parental consent for charges by children playing mobile games. Apple agreed to settle and changed its billing practice after similar complaints. Yelp also paid for allegations that they failed to test their age-registration feature on its app by collecting information from children as young as 9 without parental consent.

These changes are all waves resulting from the big splash the GDPR made when enacted last year in the EU. This, along with the political reaction to the fact that personal data has been used to persuade voters without their knowledge or consent, and the growing discontent with big data companies storing and selling significant amounts of personal data has led to a demand for consumer privacy protections and the ability to hold big data companies accountable. The GDPR gave California and other states a framework to draft their comprehensive legislation but all narrower in scope. The GDPR is based upon the principles of notice, consent, and establishing a legal basis for personal data collection. The overall EU approach to data privacy recognizes each individual has rights to their personal data and obligates those who collect, store and process this data to provide and protect said rights.

The GDPR gives one a right to access personal data held about them, a right to have inaccurate personal data rectified, a right to require one to erase personal data held, a right to restrict processing of personal data, a right to receive personal data and have it transferred to a third party, a right to object to the processing of one’s personal data, and a right to withdraw consent. The CCPA on the other hand does not require companies to transfer consumer’s personal data to another entity nor the right to obligate companies to correct inaccurate or incomplete information but it does give consumers a private right of action with statutory damages between $100-$750 per person, per incident when data has been breached.

After Google was fined $57 million for failing to properly disclose to users how data is collected across its services, including its search engine, Google Maps, and YouTube, to offer personalized advertisements the whole world took notice. Now with this recent  settlement for COPPA violations and the CCPA going into effect January 1, 2020 it is clear that the days of the Wild Wild West are rapidly coming to a close but what the future of data privacy regulation looks like is uncertain. This is only the beginning and while big data companies rush to ensure compliance they, and their lobbyists, won’t go down without a fight.

Citations

Kartikay Mehrotra, Laura Mahoney, Daniel Stoller, Google, Industry Try to Water Down First U.S. Data-Privacy Law, Bloomberg News(Sep. 4, 2019), https://www.bloomberglaw.com/document/XFM55GKC000000?bna_news_filter=tech-and-telecom-law&jcsearch=BNA%25200000016cfbb4dc83a5fffbfc213e0000#jcite

Tightening Government Privacy Laws Presents Challenges to Online Marketers, Yahoo News(Sep. 3, 2019), https://finance.yahoo.com/news/tightening-government-privacy-laws-presents-193000628.html

Shalina Chatlani, What California’s New Data Privacy Law Means For You, KPBS News(Sep. 5, 2019), https://www.kpbs.org/news/2019/sep/05/californias-new-data-privacy-law-what-it-means-you/

Dom Nicastro, Examining Where 8 US States Stand on Consumer Data Privacy Laws, CMSWire(Aug. 30, 2019), https://www.cmswire.com/customer-experience/examining-where-eight-us-states-stand-on-consumer-data-privacy-laws/

Wes Rapaport, Updates to Texas Digital Privacy Laws Take Effect, KXAN (Sep. 5, 2019), https://www.kxan.com/news/texas-politics/updates-to-texas-digital-privacy-laws-take-effect/

Ben Brody, Mark Bergen, Google to Pay $170 Million for YouTube Child Privacy Breaches, Bloomberg News(Sep. 04, 2019), https://www.bloomberglaw.com/document/X1S3OIA4000000?bna_news_filter=tech-and-telecom-law&jcsearch=BNA%25200000016cfc69dc83a5fffcf946130000#jcite

Robert Bowman, David Stauss, A Look At US Data Privacy Laws 1 Year After GDPR, Law360(Jun. 21, 2019), https://www.law360.com/articles/1170562/a-look-at-us-data-privacy-laws-1-year-after-gdpr

Adam Satariano, Google Is Fined $57 Million Under Europe’s Data Privacy Law, The NY Times(Jan. 21, 2019), https://www.nytimes.com/2019/01/21/technology/google-europe-gdpr-fine.html

Dr. Rao Papolu, In The Wake Of GDPR, It Can’t Be Business As Usual With Consumer Data Privacy, Forbes (Sep. 18, 2018), https://www.forbes.com/sites/forbestechcouncil/2018/09/18/in-the-wake-of-gdpr-it-cant-be-business-as-usual-with-consumer-data-privacy/#20a6d7fd61fb