chevron-down Created with Sketch Beta.

Litigation News

Spring 2020, Vol. 45, No. 3

Data Privacy: More Than Just the New Black

Daniel S Wittenberg

Summary

  • While data privacy law lacks federal cohesion, a business’s stance towards privacy has become essential to its survival.
  • The data protection market is projected to reach $119.95 billion by 2022 at a compound annual growth rate of 16 percent and increase to close to $200 billion by 2026. 
Data Privacy: More Than Just the New Black
Kinga Krzeminska via Getty Images

Jump to:

The data protection market is projected to reach $119.95 billion by 2022 at a compound annual growth rate of 16 percent and increase to close to $200 billion by 2026. Since the rollout of the General Data Protection Regulation (GDPR), “privacy by design has made privacy as a profession one of the fastest growing and hottest verticals in and outside of the legal job market,” according to Jared Coseglia, the chief executive officer of TRU Staffing Partners in a recent article. The GDPR had a massive impact, being perhaps the largest regulatory action in privacy to date. Its impact will be felt for years. While U.S. law on data privacy is notably different and lacks federal cohesion, a business’s stance toward privacy has become essential to its survival.

As the collection, use, and transfer of personal information are of heightened concern, privacy is now a major discussion in boardrooms. Because there are now a bevy of new and developing data disclosure requirements, limitations on the use and sale of private data, and requirements on contractual arrangements (among others), the need to understand, comply, and avoid potential enforcement actions and violations is at an all-time high. Media attention surrounding data breaches, cyberattacks, and unauthorized sharing of personal information is further disquieting business and adding to the corporate worry bucket.

A Vintage Year

2018 was a landmark year for comprehensive consumer data privacy legislation. In that year alone, the GDPR took effect, California enacted its Consumer Privacy Act of 2018 (CCPA), and Vermont passed the first law in the country designed to regulate data brokers, the companies that sell personal information.

The GDPR took effect on May 25, 2018. It extended European Union (EU) jurisdiction beyond those countries. It mandated that any global business that sells to or has EU customers is subject to the GDPR, regardless of where that business is based. The EU has long applied a more wide-ranging data protection regulatory scheme. European privacy regulations have generally concerned any entity’s accumulation of large amounts of data. The GDPR regulates the processing of personal data and lays out guiding principles that inform the interpretation of how companies treat the personal data of EU citizens, including those living in the U.S. or purchasing U.S. products or services.

The CCPA was enacted in June 2018 and became effective on January 1, 2020. It is one of the broadest online privacy laws in the United States, affecting companies across the country that do business with California residents. Rather than distinguishing between the sources of data that come within its scope, the CCPA regulates all personal information, which, by the statute’s terms, covers nearly any information a business would collect from a consumer. Moreover, unlike the federal patchwork of data protection statutes that are the laws of the 50 states, neither the method of data collection nor the industry in which the business operates limits the potential application of the CCPA. It applies to any company that collects the personal information of Californians, is for-profit, and satisfies a basic set of thresholds.

It Was a Very Good Year

More consumer privacy laws were brought into play by state legislatures and regulatory agencies in the first half of 2019 than in all of 2018. The number of states with data security laws has doubled since 2016. As perceived security risks to personal identifying information have increased, state legislatures are taking a more active role in requiring businesses to protect that data. At least 25 states now have laws that address data security practices of private sector entities. For example, the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), signed into law in July 2019, took effect on March 21, 2020. The SHIELD Act expands New York’s breach notification requirements and imposes heightened data security requirements to prevent breach.

Most of the new data security laws require businesses that own, license, or maintain personal information about a resident of that state to implement and maintain “reasonable security procedures and practices” appropriate to the nature of the information, and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Over 120 jurisdictions globally have proposed or passed privacy regulations, and billions of dollars in fines have already been issued. Nevertheless, 79 percent of companies are failing to comply or struggling to keep up with these new regulations.

High Hopes for Legislative Clarity

Until recently, data has been a commodity that was used and exchanged in an unrestrained fashion because there was no comprehensive privacy regime in the United States, said Michelle Reed, a partner at Akin Gump, in a recent interview. With the introduction of the CCPA and similar legislation pending in other states, companies are having to change the way they do business. With the advent of more prescriptive privacy and cybersecurity requirements, companies are having to conduct new analyses.

Regulators are requiring companies to implement specific measures such as privacy by design. And while the points embodied in much of the legislation were best practices, they were not necessarily spelled out in most U.S. statutes, as is the clear trend now, said Natasha Kohne, also of Akin Gump, in a recent article. The onslaught of data privacy legislation comes at a price. Fines for violations can be hefty. Moreover, some state laws create a private right of action. As such, “privacy could turn into a class action nightmare,” said Cynthia Cole of Baker Botts in a recent interview. Besides reputational costs, says Cole, “the largest penalty in the U.S. is the cost of private litigation.”

The demand for privacy and data protection legal counsel has grown along with the evolving regulatory landscape. In a recent General Counsel Up-At-Night Report, 63 percent of respondents reported privacy and data security as a very important challenge. Within this, the top three concerns were phishing/malware, hacking, and compliance obligations.

The Market for Data Privacy Legal Services report indicated that in-house privacy staff has increased at a rate of as much as 33 percent year over year. It was also noted that 76 percent of multinational corporate respondents are using outside counsel for privacy and data security matters. Of the responding U.S. companies, 84 percent are using outside counsel. Almost half the companies reported spending growth and increased budgets for outside legal counsel. Importantly, many reported that they would be willing to pay outside counsel a premium for litigation and for interacting with regulators.

Information privacy is something every company must worry about. The global proliferation of laws dictating how businesses handle individuals’ personal data has translated into significant demand and opportunities for data privacy lawyers. Most of the Am Law 100 firms now have dedicated privacy practice groups with many more firms styling hybrid-like teams with governance, risk, or security. “There’s no question,” said Joel Wuesthoff of Robert Half Legal Consulting Solutions, “[privacy] is definitely a very hot space.”

    Author