Privacy: A Growing Focus on Privacy Raises the Stakes
Publication | 01.10.24
Broader privacy laws are proliferating throughout U.S. states. At the same time, federal and state regulators are pursuing more rigorous enforcement of data breaches. The interplay between these two trends is increasing the risk of privacy-centered litigation for businesses operating in all sectors.
Historically, state privacy legislation focused on specific aspects of privacy, such as the processing of biometric information, health information, children’s online data, etc. Recently, legislatures have moved away from this sectoral approach and have been increasingly turning to comprehensive privacy laws that regulate the way that businesses gather, use, and disclose personal data. These comprehensive laws typically give consumers certain rights, such as being able to access, correct, and delete their data, or they require businesses to implement procedures and agreements intended to protect such data. Under such laws, “privacy is not just a concern when a data breach has occurred,” says Matthew Welling, a partner in Crowell & Moring’s Privacy and Cybersecurity Group. Instead, Welling suggests that “you now have to think about how you collect, store, and handle data throughout your business.”
This legislative shift began in 2018, when California passed the California Consumer Privacy Act and became the first state to enact this type of comprehensive law. Other states gradually followed suit, and, by the end of 2022, four more states—Colorado, Connecticut, Utah, and Virginia—had comprehensive privacy laws on the books. This trend continued throughout 2023. The National Conference of State Legislators reported that by September 2023, at least 25 states had considered comprehensive privacy laws during the previous nine months and eight had enacted them—Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas. Absent comprehensive privacy legislation at the federal level, more states can be expected to join that lineup in the near future, opening the door to more privacy-related enforcement and litigation against companies.
While these state laws are similar, there are some important differences. Many companies are likely to be subject to these laws in states where they don’t have facilities but do keep personal information about customers and have remote workers. “Suffice it to say, a lot of businesses are going to need multistate compliance, which adds a pretty significant layer of complication for those companies’ data-privacy programs,” says Welling.
The public and governments are increasingly focused on protecting personal data in general, and “there is a broad agreement on a nonpartisan basis that this is a priority,” says Welling. This is leading not only to new state privacy laws but also to increased regulatory scrutiny of data breaches. Data breach laws are essentially a specific type of privacy law. Thus, Welling says, “there is a natural progression to use the resources devoted to data breach enforcement for privacy enforcement as well. We are seeing a lot of state and federal regulators, who historically focused more on data breach laws, start to lean in on the comprehensive privacy laws.”
Some of these laws are not even in effect yet, and the field is fairly nascent in terms of regulations and precedent.
— Matthew Welling
Indeed, from a litigation perspective, data breaches and the rapidly expanding state privacy regimes are closely related. All 50 states now have laws requiring disclosures of data breaches. These disclosures are public in almost all states and are often available online. Thus, data breach information “is very findable now; notification is no longer just a company letter to a state attorney general,” says Welling. “With so much of the information public, it doesn’t take a lot of work for regulators in other states or at the federal level to tie it to their privacy enforcement efforts.” Plaintiffs’ attorneys also pay attention to those disclosures, and the growing number of privacy laws provides them with another avenue for shareholder and class action lawsuits.
Much of this is new territory. “Some of these laws are not even in effect yet, and the field is fairly nascent in terms of regulations and precedent,” says Welling. In this environment, companies need to keep track of growing state legislative efforts and the emerging strategies of regulators around privacy—and remain vigilant. “Companies are in that spot under the law where they don’t know what they don’t know,” he says, “and that’s a challenge for legal departments.”
Insights
Publication | 12.06.24
Proposed Rule On Protecting Bulk Sensitive Data And Its Impact On Health Care
Publication | 12.05.24