Governments mobilizing against data privacy abuses

John Larimer, BridgeTower Media Newswires

As the digital age steamrolls forward, the exchange of sensitive personal information has become an intractable and necessary part of life. For the vast majority of humanity, not a day goes by without some exchange of digitized personal information.

In recent months, prestigious organizations like Dow Jones, Capital One, Facebook, Equifax, Microsoft Email Services and FEMA have joined the ever-expanding list of companies experiencing data breaches and/or engaging in data misuse, exposing sensitive information to a network of digital outlaws who may use such data for their own personal or organizational gain. To address the growing concerns over misuse of this sensitive information, legislative bodies and regulators here in the United States and around the globe are working to create laws, and enforce existing laws, that attempt to protect consumer data from unauthorized use, sale or negligent handling.

On July 24, 2019, the Federal Trade Commission (FTC) announced a $5 billion settlement with Facebook, the result of an intensive investigation by FTC regulators into the company’s handling of massive volumes of its (currently over 2.4 billion) users’ personal data. In its complaint against Facebook, the FTC commented that Facebook repeatedly “subverted users’ privacy choices to serve its own business interests.” It is by a wide margin the largest fine of this nature in FTC history, dramatically eclipsing a $22 million fine imposed on Google in 2012, and emblematic of a new era in governmental oversight of corporate usage of personal data.

The FTC’s investigation was triggered in the wake of the Cambridge Analytica scandal, which exposed the lack of controls within Facebook as to how its data was shared with and used by third parties. The FTC’s fine derived from its general enforcement authority under the FTC Act for “unfair and deceptive acts and practices in or affecting commerce,” but there is a growing movement around the globe towards the enactment and enforcement of laws aimed specifically at protecting personal information and corporate misuse of such data.

In 2016, the European Union passed the General Data Protection Regulation (GDPR). This consumer protection statute went into effect in May 2018 and created one data privacy standard for all 28 EU countries, standardizing what had been a more piecemeal approach under the EU Data Protection Directive. The GDPR was drafted with the intent of reaching both inside and outside of Europe, applying to entities that process data of individuals who live in any participating EU country. Although there are some fundamental questions regarding the EU’s ability to enforce the GDPR in non-member jurisdictions, the law purports to impact companies even if they do not have a European presence.

While the regulation is nuanced and complicated in its practical application, the fundamental principles of the GDPR require that organizations maintain technical and organizational measures that safeguard personal data. No personal data may be processed without a lawful basis specified by the regulation, or without specific (and revocable) consent from the data subject. The EU Data Protection Authorities charged with enforcing the regulation wield a heavy hammer, with authority to levy fines up to €20 million or 4% of the violator’s annual worldwide revenues, whichever is greater.

On this side of the pond, several states have recently enacted laws pertaining specifically to data privacy and protection, including California, Maine, Nevada and Vermont laws enacted within the past year that, although incorporating significant schematic variations, all include some requirement that companies allow consumers to opt out of having their personal data collected or, in the case of Vermont, registration requirements that disclose whether they have an opt-out provision.

The state regulation garnering the most attention is the California Consumer Privacy Act (CCPA), which will go into effect in January 2020; it gives consumers a host of rights with respect to their personal data, including the right to request detailed information from businesses  regarding data that was collected about them and how it was used, the right to require businesses to refrain from sharing or selling their personal data to third parties, and the right to require businesses to delete their personal data. The CCPA is aimed specifically at businesses with larger data-usage footprints, applying to businesses that satisfy one or more of the following thresholds: earn at least $25 million annual gross income; annually buy, sell or, for commercial purposes, share or receive the personal information of 50,000 or more consumers; or derive 50 percent or more of their annual revenues from selling consumers’ personal information.

The California Attorney General is responsible for enforcement of the CCPA and it includes penalties of up to $7,500 per violation. The CCPA also creates a limited private right of action for “unauthorized access and exfiltration, theft, or disclosure” of consumers’ personal information with allowable damages ranging from $100 to $750 per consumer, per incident or actual damages, whichever is greater. Although these penalties seem small in isolation, the cumulative penalties may be large where high volumes of consumer data are at issue. The CCPA prohibits businesses from “discriminating” against consumers who exercise their rights under the CCPA by denying goods or services to consumers or by charging consumers higher prices for goods or services.

Maine’s data protection law, An Act To Protect the Privacy of Online Customer Information, is considered one of the more stringent data privacy laws enacted to date, although unlike the CCPA, it only applies to internet service providers, not businesses in general. The Act protects a customer’s web browsing history, application usage history, precise geolocation information, device identifiers, the origin and destination internet protocol addresses, personal identifying information, and the content of a customer’s communications. It goes one step further than the CCPA, forcing internet service providers to require customers to “opt in” before their data may be used. The law prohibits internet service providers from using, selling or distributing customer data without consent, and goes into effect on July 1, 2020.

Nevada’s law, Senate Bill 220, effective Oct. 1, 2019, will require operators of internet websites and online services to follow a consumer’s direction not to sell his or her personal data. SB 220 is similar to the CCPA in that it affords businesses some leeway to establish the specific process for consumer opt-out requests. However, one significant difference from the CCPA is that it does not apply to financial and health care businesses subject to the specific privacy protocols of the Gramm-Leach-Bliley Act and HIPAA, respectively.

Vermont’s new data privacy law, Act No. 171, effective Jan. 1, 2019, seeks to protect consumers from “data brokers,” companies that aggregate and sell consumer information. Such entities must comply with registration, information security safeguards and reporting requirements. Enacted in the wake of and in response to the Equifax data breach, the law also prohibits credit reporting agencies from assessing fees for establishing or removing security freezes.

The Biometric Information Privacy Act, presciently enacted by Illinois in 2008, has gained recent attention due to a series of class action suits brought on behalf of consumers. The Act requires entities to obtain written consent from consumers prior to collecting any biometric information, such as fingerprints, voiceprints or scans of hand or face geometry. Facebook, Google, Shutterfly and Snapchat have all been targets of lawsuits pertaining to their collection of facial recognition data from posted photographs. Other states are now proposing similar biometric data privacy legislation.

This past year brought proposed data protection legislation in numerous states that did not, or have not yet, passed, including New York. State Sen. Kevin Thomas introduced the New York Privacy Act. The New York Privacy Act creates a private cause of action for violations of the statute and successful claimants are entitled to reasonable attorney’s fees. More significantly, the law applies to companies of any size and requires that companies act as “data fiduciaries” of the information collected from clients even to the point of putting a consumer’s interests above that of the stockholders. Some complain that the bill is overly broad, cumbersome and vague; and others are concerned that, if passed, the bill would create conflicting loyalties that are unworkable for any company especially smaller businesses. The bill did not make it out of the Consumer Protection Committee this session.

Industry representatives have voiced opposition to the increasingly complex and stringent privacy laws, fearing the challenges of complying with a patchwork of privacy laws that vary by state may be insurmountable. There is a growing contingent within industry and government that is calling for a federal standard that unifies and supplants the state laws, such as the bill proposed last year by Sen. Ron Wyden, D-Ore, titled the Consumer Data Protection Act (CDPA). The draft Consumer Data Protection Act is among a growing number of proposals for federal privacy legislation in the United States that could pre-empt state laws and allow for a consistent, country-wide approach to the standards for handling consumer data by businesses, similar to the effect that the GDPR has had in the EU. If passed, the CDPA would require certain covered entities to submit annual data protection reports to the FTC, and would give consumers a “Do Not Track” system, consistent data privacy rights throughout the country, and create minimum privacy and cyber security requirements for companies.

With the regulatory framework around data privacy rapidly and continually evolving, it can be time consuming, costly and confusing for companies to stay on top of the various data privacy developments, regulations and requirements. However, the ramifications of misusing personal consumer information can be severe, so staying well informed about the evolving legal framework is essential to avoid unnecessary penalties and maintain goodwill with consumer markets.

—————

John Larimer is founder and managing attorney of Larimer Law. Send questions about e-discovery to info@Larimer-Law.com.