After a whirlwind start to this year (let’s leave the decade debates aside please), we’re finally ready to start making our 2020 predictions for privacy, data partnerships, and data strategy. This is where we lay out our view for how businesses, regulators, government, and internet users will shift the rules and change the way we think about data. We were pretty close with our predictions for 2019 but, ideally, 2020 will turn out to be a little better for everyone than last year, which was, uh, a little much.
Prediction 1: More State Laws and More Confusion
2019 featured no shortage of scrambling and confusion in the wake of CCPA’s passage, revision, and pending applicability. The California AG’s office fairly aggressive commentary on the law and its proposed enforcement didn’t do much to stifle concerns either, and there’s every reason to believe that CCPA worries will become increasingly frenetic as we approach the enforcement start date of June 1.
But CCPA is far from the only game in town; states across the USA are contemplating their own approach to privacy and data regulation. Sometimes, as in Ohio and Texas, those laws are designed to be a carrot, incentivizing good behavior and offering safe harbors for the “right” kind of activity. But more frequently, states are trying to out-California California. Washington’s proposed privacy act is essentially a GDPR for the Northwest, with the same kind of rights, definitions, and enforcement protocols. Nevada has already taken a step towards more robust regulation, and rumblings in Albany suggest that New York will too. And of course, as we’ve discussed, California may not be quite done yet. The prospect of CPREA on the books in 2021 is a real one, and possibilities for confusion and litigation about.
That, in many ways, is the real story of state legislation on privacy so far: lots of talk, no actual activity, but plenty of worry and wasted time. Offering CCPA compliance “solutions” has become a cottage industry (just as GDPR “prep” blossomed in Europe in 2017-18). Look for more confusion this year as state legislatures continue to experiment with the concept of what a privacy law looks like, even as they ignore the real world implications of what the law requires. Case in point — will we ever get a clear idea of what a “household” means under CCPA, or will it simply be replaced by the “data subject” model in other states? As long as we don’t know how the AG (and, more importantly, the courts) construe the word “household,” we’re basically just guessing.
One Thing You Should Do
In the face of this uncertainty, we recommend conducting a data inventory in a machine readable, easily edited format (if you’re doing it alone, use excel if you have to, but CSV or JSON would be better). Get as complete a list of your data inflows as possible and identify where they’re stored. At the very least, you’ll be able to demonstrate that you’re starting the process of building a compliance regime and understanding what data you hold. The real work of pairing that data with legitimate purposes and use-case limitations comes later: for now, walk before you run.
Prediction 2: Privacy Compliance Tools Become Ubiquitous
This is kind of a cheat prediction, because there are already so many privacy solutions on the market that we’re more or less describing the world as is. But the way we mean “ubiquitous” is not “there are a lot of them,” but rather “use of these tools becomes commonplace, even among small companies.” Right now, market penetration for privacy tools in large, publicly traded companies is at around 100%: you can’t have a compliance department (as every publicly traded business does) without them more or less mandating the use of at least one privacy/data regulation tool, usually one that promises to do everything all at once.
But, in our experience and our conversations, smaller businesses (and even medium sized ones) have largely shied away from spending the money on these tools because, frankly, the cost-benefit ratio largely swung in favor of waiting to see if they were worth it. Drawing upon the point we made above, many of these companies assumed that, until they had a clear idea of how the laws and regulations would apply, it didn’t make sense to spend time and resources on a buildout of a privacy solution. Why buy product X today when SaaS tool Y will serve you better tomorrow.
Now, though, we think that the market is shifting, and privacy tools will start to achieve real breakthroughs in the SME market. By segmenting users without necessarily tracking them, some of these tools will allow businesses to identify ways to draw value from data without running the kind of regulatory risks that were unavoidable even a year or two ago. Be on the lookout for how these tools can work for you. And don’t assume the benefits of these tools apply only in the B2C context: Our friends at B2SMBi will likely be able to attest to this phenomenon as time goes by, but the need for better business-to-business privacy management will spur growth for these tools in that sector as well.
One Thing You Should Do
Don’t mess around with halfhearted tracking/cookie management systems that throw up a banner and say “You’ve already agreed to us setting cookies by existing.” Take a look at some of the better solutions out there — we were early supporters of Daniel Johannsen’s Cookiebot platform. Whatever tool you use, the earlier the better: once you start using cookies as the only way to know your clients, it’s a very hard habit to break.
Prediction 3: Once Again, The Feds Drop the Ball
There won’t be a comprehensive federal privacy law in 2020.
That’s it, that’s the prediction.
Alright, fine, some explanation. We’ve said for some time that the political will to regulate privacy exists in Washington, but it’s diffused across a number of political groupings, some of which are unexpected. Ron Wyden, certainly, has established a name for himself as a serious proponent of data regulation at the federal level, but he isn’t the only one these days. Senate Democrats proposed a robust federal privacy law last fall, and many Republicans have already expressed their serious concerns with the nature of data collection, surveillance, and nudging.
But wait, you might ask, doesn’t that make it more likely that we’ll see a federal privacy law in 2020? If there’s consensus that things are problematic as they are and that change is necessary, what could stifle movement on a bipartisan issue that’s pretty popular with voters?
Two answers: Donald Trump and federalism.
In any presidential election year, legislative focus shifts to key issues like the economy and national security. But this isn’t any presidential election, of course, and the full mobilization of both parties for their respective candidates has already reached fever pitch some ten months before Election Day. It’s hard to imagine either party giving a victory to the other by putting together the kind of comprehensive privacy law that would be necessary to be more than window dressing. Also, as we’ve mentioned, election years are bad times to call for limits on massive data collection and analysis given they are the lifeblood of every candidate’s campaign. You don’t bite the hand that feeds you voter identification intel.
The federalism issue is a little more nuanced, and is something of a codeword for “preemption.” If Congress enacts a law that preempts state privacy laws, it can effectively establish both a ceiling and floor for state laws: different varieties of preemption leave some room for states to be more rigorous, other varieties effectively exclude states from legislating altogether.
Some Republicans have expressed a desire, both privately and on the record, to cabin the effect of more aggressive state privacy laws (ahem, CCPA) that would introduce liability for executive leadership at data brokers or limit the use-cases of datasets sold across borders. Democrats vary, too, in their approach to the question, with more regulation-minded legislators (e.g., Wyden) pushing for federal laws that set a minimum but allow states to be more aggressive; others have expressed caution.
In any event, despite the widespread appeal of a privacy law and the general agreement that something must be done, the fractured and fractious nature of our politics means that we think a privacy law is unlikely this year. Look to 2021 for the first real shot at a statute from Washington.
One Thing You Can Do
Go read all of the Federal Trade Commission guidance (or find someone who’s already done so) and think about how to incorporate it into your data and privacy compliance regimen. In the absence of a federal law, the FTC will continue to run point on enforcing privacy in the U.S. In many ways, that’s good news, because the FTC has been extremely prolific in explaining its approach to privacy and its expectations for what businesses can, and must, do. Taking the time to understand those positions can safe a great deal of time and stress later.
Prediction 4: Transatlantic High Drama
Get ready for a wave of argument and negotiation over how data moves from the EU to the UK, from the UK to the US, and back again. This last prediction is pretty involved, but stay with us, because it has political intrigue, massive data collection practices, and the chance for secret Anglo-American dealings. It’s like a Tom Clancy book, except, you know, one of the not very good ones.
Although Brexit was the big talk in the second half of 2019 (and the first half, and 2018, and 2017…) the really big question for the UK is this: now that the deal is done, what’s actually going to happen? Obviously, there are substantial economic and political questions, but for our purposes here, it’s clear that cross-border data flows from the EU to the UK will need to have an independent basis, just as they do for any other country without an adequacy decision from Brussels. And the Commission has already indicated that the UK will be at the “back of the line” for any such determination.
Part of that, of course, might be bluster. After all, the UK had to implement GDPR as part of its organic law (which it did, in the form of the Data Protection Act 2018). So, by definition, the legal standards for data protection in the UK meet GDPR because they are GDPR. And UK companies, too, had to comply with Brussels’ requirements from May 25, 2018-January 31, 2020, so it’s hard to claim that the general practice in the country isn’t sufficient for regulatory purposes. A prolonged delay in granting adequacy to the UK might be seen as punitive, but it also wouldn’t technically violate any trade deals or WTO regulations.
Meanwhile, we’re all waiting to hear what the Court of Justice of the European Union is going to do about Privacy Shield and the Standard Contractual Clauses. The former is the (horribly named) program that allows for data transfers to the US from the EU. You see, the EU courts don’t like that large American tech companies share data with the federal government, including the National Security Agency. As a consequence, the CJEU ruled that it was not safe to transfer data to the US in 2015, eliminating the old transfer regime (called “Safe Harbor”). Privacy Shield made those transfers legal again, but they’re currently in litigating before the CJEU again, and the cards don’t look good for the US.
Another key method for transferring data is use of Standard Contractual Clauses, which are addenda that you tack onto a contract to allow data to leave the EU and arrive in the US. It’s basically a promise that you’ll follow GDPR principles. SCCs are also under review at the CJEU, and, although they’re likely to survive, it isn’t a guarantee, and they’re certainly not perfect. (They were drafted before the GDPR, and so they don’t even recognize the possibility of a data controller established outside the EU, even though that’s something the GDPR expressly contemplates. Whoops).
Well, let’s take these two phenomena together: the UK is technically unable to receive data from the EU, but it can share data all it wants with the rest of the world, the US and the UK are already working on a (“Yuuuuge”) new trade deal, and UK businesses are going to be looking to ensure that they have a good hedge against potential loss of business from the EU.
The outcome? We think the UK will use the US trade deal as a cudgel to get an adequacy determination from Brussels faster than it otherwise would, but not before it secures a robust trade deal with the US that includes provisions on data sharing, cross-border data flows, and perhaps even something akin to a mini “adequacy decision” by the UK for the US. And, given the massive amount of financial services data that flows into both countries, anticipate seeing a surge in fintech tools with an Anglo-American focus.
One Thing You Can Do
If you’re in the cross-border data transfer business (and you may well be even without thinking about it), you need to determine if you should’ve been using SCCs, right away. They’re available from the EU (link), but you really need privacy counsel to help you understand their applicability and how to use them properly — as we said, they are far from perfect. Also, if you’re currently Privacy Shield certified, don’t freak out about the prospect of losing certification if/when the program gets the kaibosh. There was a grace period last time, we think there will/would be this time too.
Remember that these predictions aren’t guarantees, and you shouldn’t base your life and business on them without serious consideration and expert advice. (Obviously, if you come to us for advice this is what we’re going to give you, but you get my meaning). That said, the trends over the past few years point in the general direction we’ve outlined here: state regulation, federal dithering, new data partnerships fueling the need for privacy tools, and utter confusion about GDPR in the US (and, frankly, Europe). In other words, even if these predictions are only mostly right, following the counsel we’ve set out here will ensure that you’re not caught completely unaware by what 2020 may bring.