The demand for consumers’ personal information is at an all-time high, as targeted marketing is now able to use big data to process large amounts of personal information accurately and at a fast pace. However, there currently is no nationwide federal privacy legislation to protect consumers’ data privacy rights or to inform companies as to what constitutes a violation. How can lawyers help clients navigate data privacy issues so that consumers know their rights and companies know how to use and protect data?
June 29, 2020 Technology
As Demand for Consumer Data Increases, So Does the Need for Data Privacy Laws
If there is no federal privacy legislation, how can lawyers help clients protect their data?
By Christina M. Jordan
Invasion of Data Privacy
Data privacy intrusions are not often brought about by choice. Consumers are now used to seeing targeted ads on the computer screen as a result of previous searches. Marketing specialists are aware of consumers’ buying habits, frequently visited websites, movies watched, foods eaten, and much more. Political campaigns also routinely harvest similar information to assist in assessing likely voting preferences. Many companies have implemented biometric systems to log in employees at their places of work, or have security systems that can monitor how often and when you clocked in and clocked out, when you logged in to your work computer, and when you logged off.
Such private, personal, and biometric information is collected and processed by corporate entities and the government. How this information is shared, with whom, and how long it is stored are important factors to consider, as an individual is likely to suffer irreversible harm, and companies may be liable for violations if personal data is compromised.
Developing Regulatory and Legal Landscape of Data Privacy and Protection
While there is no central federal privacy law in the United States, in 2016, the European Union (EU) adopted the General Data Protection Regulation (GDPR), which provides data privacy protection for EU citizens. The GDPR recognizes that personal data protection is a fundamental right and that personal data should be processed lawfully, fairly, and in a transparent manner. The GDPR also limits the lawful basis for which personal data may be collected, processed, and transferred. Permissible uses of personal data under the GDPR may conflict with discovery in U.S. litigation, which often relies on access to electronically stored information.
Lawmakers are beginning to propose federal privacy legislation, but national legislation does not seem imminent. Alaska, Arizona, California, Connecticut, Florida, Hawaii, Illinois, Maine, Maryland, Massachusetts, Mississippi, Montana, Nevada, New Jersey, New Mexico, New York, North Dakota, Rhode Island, Texas, and Washington are among the states that have enacted or are in the process of introducing legislation in the data privacy space. The California Consumer Privacy Act (CCPA) is a broad data privacy law that went into effect on January 1, 2020, and largely reflects the GDPR. Under the CCPA, there is no private right of action for a data privacy violation; rather, claims go to the attorney general, who monitors compliance. Unlike the CCPA, the Illinois Biometric Information Privacy Act, which went into effect on October 3, 2008, allows aggrieved persons to sue for a biometric data violation. A major difference between the state data privacy laws is that some states provide for a private right of action while violations in other states would be enforceable only by the state attorney general.
Private causes of action in the GDPR and the U.S. state laws have raised questions including whether laws apply to individuals and entities outside the country or state and whether the presence of a statutory violation can lead to liability. In the absence of a national privacy law, California’s legislation may become the benchmark for how companies implement data privacy policies for all of the states in which they operate. This would be similar to how companies treated updates made in response to the GDPR. Businesses could benefit from having a head start on compliance with existing state laws should a national law go into effect. However, companies would likely prefer a national standard to take the guesswork out of complying with different requirements present in state laws.
Collecting Data: Notice and Consent
One aspect routinely covered in data privacy laws is the collection of data, including notice and consent of data being collected. In Rosenbach v. Six Flags Entertainment Corporation, Six Flags employed a fingerprinting system for season pass holders, including minors. Rosenbach purchased a season pass for her minor child, who had to scan his thumb into a biometric data capture system to complete the transaction.
As long as data privacy remains unlegislated, companies and individuals will potentially face complicated data privacy policies and expensive litigation.
Rosenbach alleged that there was no accompanying consent requested or notice accompanying the biometric data capture regarding the purpose for data collection and length of time the information would be stored. The court found that Rosenbach did not have to allege harm beyond information collection without consent. Given the potential for increased liability exposure under statutes that may not require proof of harm beyond lack of consent or notice, companies should actively evaluate their privacy data policy to ensure compliance with the landscape of privacy laws.
Guidance on Use of Consumer Data: Transparency
U.S. companies conducting business in Europe or collecting data from European consumers should be mindful of the globalization of the GDPR. Google was fined for lack of transparency regarding its use of consumers’ personal information and for failure to obtain sufficient consent to use that information in personalized advertisements. For example, the regulatory body found that essential information regarding how personal data was being used for personalized ads was not available in a concise location. In addition, Google’s language was purposefully broad and obscure to make it difficult to understand how consumers’ data was being used. The fine should put U.S. companies on notice to be in compliance with the GDPR.
Strategies for Compliance
Although some of the state-enacted data privacy laws have provisions that are similar to the GDPR, being compliant with the GDPR does not mean you are compliant with state laws. Rather, each state law has unique aspects that may conflict with the GDPR with respect to protecting data. As long as data privacy remains unlegislated, companies and individuals will potentially face complicated data privacy policies and expensive litigation.
Companies may want to consider where they are conducting business in the U.S. and in Europe and whether they are collecting data from consumers located there. This will assist in understanding whether they can expect to be compliant with GDPR in addition to the landscape of state data privacy laws. Further, understanding how state data privacy laws align and where they conflict can help companies adopt best practices for handling data privacy for U.S. clients. Establishing a data privacy policy and program that includes training employees on proper collection, processing, and retention of such data may help companies avoid violations.
Christina M. Jordan is an associate editor for Litigation News.
Resources
- Robert E. Shapiro, “Invasion of Privacy,” Litigation, Vol. 46, No. 1 (Fall 2019).
- Rosenbach v. Six Flags Entm’t. Corp., No. 123186, 2019 IL 123186, ¶ 33 (Jan. 25, 2019).
- The CNIL’s restricted panel pronounces a penalty of 50 million euros against GOOGLE LLC, cnil.fr (Jan. 21, 2019) (article translated into English).
- Kristen L. Burge, “Growing Patchwork of Biometric Privacy Laws,” Litigation News, Vol. 44, No. 4 (Summer 2019).
- Jennifer Mesko & Emily Knight, “Illinois Supreme Court Rules in Biometric Information Privacy Act Case,” Class Actions & Derivative Suits (Feb. 12, 2019).
- Robyn R. English-Mezzino, “The Impact of Judicial Discretion on Cross-Border Discovery,” Commercial & Bus. Litig. (July 3, 2019).
- Alfred J. Saikali, “The Developing Landscape of Data Protection Laws and Enforcement Actions,” Prods. Liab. Litig. (Apr. 9, 2019).
- Sundeep Kapur, “CCPA Essentials: How to Get Started,” Minority Trial Law. (May 28, 2019).
- Stephen Breidenbach, “Navigating Privacy Laws as the Landscape Shifts,” Intellectual Prop. Litig. (May 30, 2019).
Copyright © 2020, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).