Unlike many countries, the United States has no single, comprehensive law governing how businesses collect and use individuals’ personal data. As consumers become more aware of the extent to which businesses accumulate, buy, sell and share personal information, states are beginning to step in and pass their own regulations. How will this affect law firms?
Major technology companies in the U.S. have enjoyed a business environment with relatively little regulation for decades, allowing them to flourish while establishing their own sets of rules about how their industry works. A lack of understanding about the details of tech giants’ products and practices, coupled with a fear of slowing one of the most successfully growing sectors in the economy, have made lawmakers reluctant to intervene.
Plus, for most of their lifetimes, tech companies have been seen as the good guys — creators of wealth and opportunity with little downside. Only recently have people begun to seriously analyze the roles technology companies like Facebook and Google, which control over half the worldwide market in online advertising, play in society.
The Cambridge Analytica scandal, in which it was revealed that personal information of up to 87 million people was mined for the purpose of influencing a presidential election, threw the issue of personal data privacy into the spotlight, revealing uncomfortable facts about how rampantly information is gathered and shared without users’ knowledge. Since the uproar, Congress has held hearings and Mark Zuckerberg has testified, but very little movement has occurred on nationwide personal data protection in America.
More about privacy proposals before Congress: Can We Stop The Spread of Propaganda Online?
The U.S. is unique among developed nations in its lack of attention to the protection of its citizens’ personal data. Canada’s Personal Information Protection and Electronic Data Act (PIPEDA) went into effect in April of 2000. Chile and Hungary have both had privacy laws in place since the 1990s. And the Philippines has a particularly strong set of rules, requiring those who collect personal data to get informed consent from users.
These privacy laws define in various ways what constitutes personal data; describe how data can be collected, stored and processed; and establish consumers’ rights with relation to the use of their data.
Perhaps the most well-known international privacy law is the European Union’s General Data Protection Regulation (GDPR), which went into effect on May 25, 2018. The GDPR replaced the 1995 European Data Protection Directive (Directive 95/46/EC).
In the U.S., some states are not waiting on the Congress to act. New York's Cybersecurity Rules and Regulations (NYCRR 500), which govern data privacy in the financial sector, took effect in 2017. And California has recently passed a data privacy law that is being compared to GDPR. The California Consumer Privacy Act of (CCPA) was signed by Jerry Brown in 2018 and will go into effect on January 1, 2020.
Most Americans are likely to be only indirectly aware of GDPR, and then only through the series of notices they received last year asking them to agree to updated privacy policies for online services. Law firms, however, had to be more cognizant of the regulations, as they define obligations for businesses that obtain or store or share personal data.
The GDPR designates two types of entities that handle data: controllers and processors. Controllers own data, and processors process that data.
Under GDPR, law firms are data controllers, as they are in possession of personal information, both for their clients and their employees. If a firm hires, for example, a payroll company, the payroll company would be a data processor. Companies that provide practice management software are also processors. Since requirements under GDPR are more stringent than those to be enacted under CCPA, it is likely that law firm practice management software companies are already in compliance. However, it is up to the data controller — the law firm — to do its due diligence and confirm third-party companies that process clients’ personal data are in compliance with both laws.
What is the CCPA?
The California Consumer Privacy Act was written and passed in response to a push by privacy activists who aimed to force a vote on new regulations through California's ballot initiative process. Alastair Mactaggart, a real estate investor and leader of the movement, became interested in data privacy after a dinner during which a friend who was software engineer at Google told him that most Americans would be horrified if they knew the scope of the data Google had on them.
Mactaggart began to research the issue and found that the success of Silicon Valley's tech giants depended heavily on unfettered access to user data. He contacted a series of privacy experts to help determine the best way to regulate data use, and he and a team of volunteers managed to get enough support to place a data privacy law on the California ballot. Voters would have been asked to decide on the matter in the 2018 midterms. However, faced with the prospect that voters may approve a measure they had no say in crafting, the California legislature created and passed California's privacy act, successfully shielding the issue from a popular vote.
The CCPA lays out consumer rights and business and service provider responsibilities with respect to personal data. Specifically, the CCPA establishes:
1. A right to disclosure: Consumers have the right to know what data a business collects, how it is used and whether it is sold. If data is sold, consumers have the right to information about the third party that receives the data.
2. A right to opt-out: Consumers can forbid businesses from selling their data to third parties.
3. A right to deletion, similar to the EU's right to be forgotten.
4. A right to equal pricing: Consumers cannot be charged more if they opt-out.
Penalties for businesses who do not comply with the new law are up to $7500 per violation.
The CCPA has the potential to establish protocols that will ultimately be adopted by other states, or the federal government. California prides itself on its regulatory innovation, and as the fifth largest economy in the world, it has the power to influence guidelines nationwide, whether lawmakers in other states like it or not.
Comparing GDPR and CCPA
The CCPA's designations of “business” and “service provider” are similar to the GDPR's definition of controllers and processors. Under the CCPA, a law firm that has possession of California residents' personal data is a “business.” A third-party processor, like a payroll company, is a “service provider.” Both laws establish the obligations of businesses, controllers and processors. However, California's privacy law differs from the GDPR in several meaningful ways, including the following.
Physical scope: California's law applies to controllers that “do business in the State of California,” regardless of location, if they process California residents' data. Similarly, EU's law applies to entities established in the EU, or those that control or process the data of EU residents.
Threshold: To be designated a business under the CCPA, a company must be for-profit, meet a baseline revenue amount, use data for commercial purposes and be in possession of the data of at least 50,000 Californians.
Opt-in v. opt-out: A notable difference between the CCPA and many national privacy laws is whether users must opt-in or opt-out of having their data shared. The CCPA allows users to opt-out of having data shared or sold; by default, users are opted-in. GDPR, in contrast, requires user consent to be “freely-given, specific, informed and revocable.” Users must explicitly opt-in to having personal data shared.
Internal and external use of data: One of the biggest differences between the two laws is how they treat data processing. Under the GDPR, data processing is only allowed if it meets one of six lawful standards. Additionally, one entity can be both a controller and processor.
The CCPA assumes most data processing is legal. Therefore, while users can opt-out of having personal data sold to a third-party, they have very little control over what a company does internally with their data. This distinction is likely why the legislation was able to be passed without major objections from Silicon Valley.
This is also why, as Wired Magazine argues, the CCPA will have little effect on a large company like Facebook. Facebook uses personal data to target ads, but it does this almost entirely internally — very little data is shared with advertisers. Since processing data internally is legal, most users won't notice a difference. Companies who will get hit are smaller, third-party vendors that do the middle man work of selling user data.
Personal data: The CCPA has an expansive view of personal data. Personal data can be any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes things like an IP address in addition to more obvious facts like an address or phone number.
Right of action: The CCPA does not establish a right to sue companies that misuse data, except in the case of data breaches. GDPR gives users a right to sue in both EU and U.S. courts.
How can law firms prepare for a new wave of privacy laws?
For now, if your firm is not doing business with residents of the EU or California, you do not need to immediately worry about compliance with either law. However, the trend in the U.S. and worldwide is toward more protection for personal data privacy. Other states may adopt similar laws. If enough states choose to act, the federal government may be forced to reconcile the patchwork of regulations with a new set of standards.
Take these steps to ensure your firm is compliant now and into the future:
1. Evaluate your collection and storage of all personal data, including that of clients, attorneys and staff. Banking records, addresses, emails, phone numbers — all of these are examples of personal data subject to both GDPR and CCPA.
2. Assess how this data moves within your firm and for what purpose.
- How is personal data used?
- What is your data flow?
- Are you sharing data with any third parties? Do you, for example, have practice management software that stores user data?
- Make a list of third-party data processors
3. Establish opt-in and opt-out protocols.
- How do you establish consent for collecting data?
- What options do clients have for opting-out of having their data shared?
4. Evaluate your privacy policies
- What are your current privacy practices?
- What mechanisms do you have for sharing privacy policies?
5. Evaluate your data security practices.
6. Establish a data management hierarchy.
- Determine who within the firm is responsible for making decisions about privacy and personal data.
- Determine who is responsible for overseeing third-party vendors.
Knowing where you stand with your data use and management is the first step in ensuring quick compliance should new laws be passed. It is also a best practice that will help prevent costly breaches — good for your clients and your firm.