In the past several weeks, we have covered some highlights of international and domestic privacy and security regulation (GDPR and CCPA, respectively).  As the regulations exist today, companies are faced with a 50-state privacy and security landscape that may lead to patchwork solutions and piecemeal implementation.  As more and more states enter the game of passing their own GDPR or CCPA-style legislation, the road-map for compliance threatens to become more complicated, not less.  We will not be shy about expressing our view that uniform federal privacy regulation is the solution to this predicament.  The passage and looming effective date of the CCPA creates a unique moment when stakeholders are motivated to come to the table with concessions, but whether we can make a deal remains very much an open question.

The Evolution of the 50-State Quilt

Privacy and security legislation has continued to sweep the nation as one ripple effect of GDPR and CCPA.  In the first month of 2019, 13 states have introduced legislation on privacy and/or security, including Arizona, Hawaii, Iowa, Massachusetts, Maryland, Missouri, Nevada, New Jersey, New Mexico, New York, Oklahoma, Washington and Virginia.  More states are certain to add their hats to the ring as legislative sessions progress.  The result of this flurry of activity is a great deal of time and money spent analyzing and implementing the requirements of various laws.  Companies with a foot in more than one state may be forced to choose the most restrictive law and comply with that in lieu of implementing different programs for different states.   While privacy advocates may celebrate the impact of a “most restrictive state wins” approach, if we ignore where we are at this point in history, we may squander an opportunity for meaningful and uniform federal rules.

Opportunities on the Federal Horizon

States aren’t the only lawmakers that are active on the subject of privacy and security, the legislators in the federal government introduced their own series of bills on these subjects in the last quarter of 2018.  The International Association of Privacy Professionals is a source of valuable information on state and federal privacy and security legislation.  For example, Muge Fazlioglu’s white paper entitled “Consensus and Controversy in the Debate Over Federal Data Privacy Legislation in the United States” (available via the IAPP) is thorough and concise.  Many of these proposed laws contain similar consumer rights as those contained in the GDPR and CCPA, including access, correction, deletion, portability and consent.  As pointed out in the article, there is agreement among both privacy advocates and representatives from the business sector that any eventual federal law should be uniform and apply across all industries.  This sector-neutral approach is a significant shift and an example of a willingness to compromise.  We will discuss this topic in further detail below.

To Pre-empt or Not to Pre-empt: The Carrot

One area that has never garnered consensus is federal preemption of state privacy laws; but in our view, it is equally an essential part of the solution.  Simply put, if proposed federal legislation does not contain strong preemption language, it will not solve for the greatest difficulty and expense companies face today: understanding and implementing various federal and numerous state laws.  A brief review of the history of federal preemption reveals that it’s limited and not very common.  The more common approach is for federal legislation to present a floor, and for state regulation to create a ceiling.  In other words, the feds generate minimum standards and the states are free to pass more stringent rules.  GLBA is the prime example of a federal law that is explicitly superseded by more restrictive state laws.  For this reason, the debate around preemption is often heated—with advocates of more stringent regulation believing that those advocating for preemption are asking for looser rules.  While this may well be true in other scenarios, the current consensus around the need for a uniform federal privacy law reveals that it is not an accurate picture of where we stand today.  If federal preemption is not permitted, any eventual federal law will become just another layer in a stack of complicated state and federal privacy regulations, companies will continue to face the reactionary and expensive patchwork solution process, and the incentive to come forward with concessions in favor of consumers will evaporate.  In short, we have an opportunity to create meaningful and uniform federal regulation that both protects consumers and facilitates companies’ implementation of effective privacy and security programs.

Bridging the Gap:  The Concessions

A perusal of what might be included in federal legislation instructs us that stakeholders are very serious about compromising with the privacy lobby in order to achieve common sense, uniform results.  In some instances, drafts of legislation contain more restrictive requirements than the CCPA.  The representatives with whom we have interacted understand that in order to seek a uniform solution, they will need to compromise on what the proposed legislation contains.  By way of example (and as cited in the IAPP article), there is broad agreement that any federal law should apply across all lines of business.  The pattern of federal privacy and security regulation has been to establish a rule, and then write-in exceptions to the rule for particular industries that aren’t the direct target of such laws.  Lobbying efforts of this kind were successfully undertaken when the FCRA and GLBA were passed.  This means that industry participants may be ready for a law that is both more stringent and has greater scope than previous federal privacy laws.  As another example of this willingness to compromise, several of the proposals have included opt-out for mere collection and sharing, as opposed to the less-stringent opt-out only for selling contained in the CCPA; and, some drafts of federal legislation contain even more restrictive opt-in requirements.  We should not ignore the unique opportunity that the pending implementation of CCPA presents.

Conclusions: Let’s Make a Deal

The preamble to the CCPA references the Cambridge Analytica controversy, and some ancillary industries rightfully feel swept-up in the urgency to regulate companies like Facebook.  With this “we are not the bad guys” mentality, it might be easy enough to seek exemption for specific lines of business, but this will also erode the strength and scope of any eventual federal law.  It seems now that stakeholders are ready to accept uniform regulation across all sectors.  With significant time and resources already spent on CCPA compliance programs, we may miss the opportunity presented by the business sector’s willingness to compromise if we do not act promptly.   In this era of polarization and government shut-downs, and with a California Democrat leading the US House of Representatives, only time will tell if what seems like bipartisan consensus can result in a bipartisan solution.

THIS BLOG POST AND ASSOCIATED MATERIALS ARE PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND NOT PROVIDED FOR THE PURPOSE OF PROVIDING LEGAL ADVICE.  YOU SHOULD CONTACT YOUR ATTORNEY TO OBTAIN ADVICE ON ANY PARTICULAR ISSUES.  THE OPINIONS AND VIEWS EXPRESSED IN THIS POST REPRESENT THE OPINIONS AND VIEWS OF THE INDIVIDUAL AUTHORS AND MAY NOT REFLECT THE OPINIONS OR VIEWS OF A PARTICULAR COMPANY.

About the Author

Margaret E. Redman,
J.D., ARe

Ms. Redman practiced commercial real estate law for 11 years in Atlanta, Georgia.  After developing expertise in title insurance, she joined a leading title insurer based in Santa Ana, California.  While in this position, Ms. Redman developed expertise in privacy regulation.  In January 2019, Ms. Redman joined Fidelity National Title as Senior Vice President, Western Region, Fidelity National Title Group, where she will interface with clients and customers on a variety of subjects, including underwriting and reinsurance.

Contributors

Mike Thompson
Managing Partner/CEO
ICSynergy International LLC

Steve Scherer
CSO and Chief Architect
ICSynergy International LLC

ICSynergy CyberSecurity Services

ICSynergy International LLC has provided CyberSecurity strategy and implementation services for over 15 years.  Since our early days of delivering world class Identity Management solutions, we always look at Cybersecurity through a people, process and technology lens.  This approach becomes even more important when looking at the repercussions of a GDPR or CCPA breach.  Let ICSynergy’s team of privacy and security professionals help you to formulate your approach to GDPR and CCPA.